Plan for the Establishment and Operation of the Healthcare Certification Authority

1
Plan for the Establishment and Operation of the
Healthcare Certification Authority

• Shyu, Charng-Er
• Information Management Center
• Department of Health
• Taiwan, R.O.C.
• 01/24/2005

2
Report Outline

• 1. Project Overview
• 2. Four types of HCA-issued cards
• 3. Membership Roster of HCA
• 4. Rules and regulations on the RA RAO
• 5. Certification Specifications
• 6. Operational Status of HCA
• 7. Certification IC card issuance for medical
  care personnel
  
• 8.Registration Authority Operators (RAO)
• 9. Applications of Healthcare Certification IC
  Cards
  
• 10. Related Regulations
• 11. HCA Legal Basis
• 12. Budget

3
1.Project Overview (1/4)

• Project Origins
• In view of the rapid development of the medical
  information environment, healthcare institutions
  are also actively implementing plans to switch
  from paper to electronic medical records and
  computerize healthcare procedures and hospital
  management. The goal of these plans is to
  increase the quality and effectiveness of medical
  care and reduce the cost of healthcare
  management.

4
1. Project Overview (2/4)

• Project Basis
• The Executive Yuan Research, Development and
  Evaluation Commissions E-Government Electronic
  Certification Services Conference resolution
  item All governing bodies shall provide
  electronic license or electronic certificate
  certification services. (11/13/2000)
• In accordance with the Knowledge Economy
  Development Practical Implementation Project
  passed by the Executive Yuan in 2001 (No.
  006016), the DOH received approval for the active
  promotion and implementation of the sub-project
  Online Health Services Promotion Plan
  (1/29/2001). The Healthcare Certification
  Authority Plan is one of the subplan.
• By order of the Executive Yuan (No. 0910080314),
  the Electronic Signature Act went into effect on
  April 1, 2002.

5
1. Project Overview (3/4)

• Project timeframe 2002.8.12005.12.31
• Project content the setup of software, hardware
  and operating environments, the drafting of
  operational procedures and standards, the
  establishment of certification IC card production
  and distribution services, promotion of
  certification usage and the provision of related
  training courses, and the maintenance of the
  services and security management of HCA.

6
1. Project Overview (4/4)

• HCA goals
• Providing e-healthcare certification services,
  establishing an electronic signature mechanism,
  and creating a secure environment for the
  exchange of healthcare information within the
  healthcare system.
• Assuring the confidentiality, integrity, identity
  verification, and non-repudiation of electronic
  healthcare information
  
• To facilitate the sharing of information, HPC
  capabilities will be added to physicians medical
  personnel certification IC cards.

7
2. The four types of HCA-issued cards (1/3)

• 1. Healthcare Institutional certification IC
  cards
  
• Serve as electronic representation of the
  institutions corporate actionslike a corporate
  seal.
  
• Provide encryption and signatures for electronic
  documents, online birth reporting, etc.
  
• 2. Healthcare personnel certification IC cards
• Serve as electronic representation of medical
  personnels personal behaviorlike a specimen
  seal (i.e. personal electronic signature).
  
• Limits access to NHI IC Card information (only
  doctors have access), medical records signatures.

8
2. The four types of HCA-issued cards(2/3)

• 3.Auxiliary certification IC cards for healthcare
  institutions
  
• In order to cater to healthcare institutions that
  have multiple application systems or single
  systems with multiple administrators, and thus
  have the need to use multiple certification cards
  simultaneously, auxiliary certification IC cards
  shall be issued with functions identical to the
  original card.
• The DOH began accepting applications from medical
  centers for temporary card usage on December 29,
  2004. After the fee rules have been ratified, the
  DOH will begin collecting fees from applicants.
• Auxiliary Certification IC cards shall be
  controlled by healthcare institutions, with
  management guidelines to be established by said
  institutions.

9
2. The four types of HCA-issued cards(3/3)

• 4. Temporary Certification IC cards for doctors
• These cards are for use by doctors who are
  temporarily unable to access NHI IC cards using
  their physicians Certification IC Cards.
  
• In the case that cards are lost, damaged, left at
  home, or when codes are forgotten.
  
• Cards have HPC functions, but no HCA functions
  (signature).
  
• The DOH began accepting applications from medical
  centers for temporary card usage since December
  29, 2004. After the fee rules have been ratified,
  the DOH will begin collecting fees from
  applicants.
• Temporary Certification IC cards should be
  controlled by medical care institutions, with
  management guidelines to be established by said
  institutions.

10
3. Membership Roster of HCA(1/3)

• CA membership diagram

CA
Card-issuing Center
11
3. Membership Roster of HCA(2/3)

• CAcertification authority
• Responsible for issuing certification IC cards.
• RA/RAOregistration authority / registration
  authority operator
  
• Responsible for certification registration,
  applicant identity checks, and related
  certification services (application,
  cancellations, extensions, card decryption,
  etc.)
• Repository
• Posting of CA certifications, confirmation of
  certification users, posting of certificate
  revoked list (CRL), drafting of Certification
  Practice Statement (CPS), etc.
• Card-issuing Center
• Responsible for producing and issuing cards.

12
3. Membership Roster of HCA(3/3)

• Subscribers
• Certification users
• Certified healthcare staff and licensed
  healthcare institutions, holders of healthcare
  certification IC cards
  
• Relying Party
• Parties that recognize and place trust in holders
  of CA-issued certification cards.

13
4. Rules and regulations on the RA RAO

• The RA is responsible for stipulating the
  detailed procedures concerning the registration
  of certified users and the authentication of
  their identities, in accordance with the
  processes concerned with applications from
  certified users, as well as with the inquiry and
  the cancellation of the certification process.
• During the application process, RAO personnel
  will authenticate the applicants identity and
  documents in accordance with the procedural
  guidelines.
• Public health bureaus nationwide will be
  authorized to serve as RAOs to carry out a wide
  range of services as mentioned above in the
  implementation of the RAs onsite application
  processes.

14
5. Certification Specifications

• The issuance of X.509 V3 format certifications,
  which include the name of the user, the public
  key, the issuer, the effective date and the
  expiration date among others.
• Using the RSA asymmetric encryption algorithm,
  the length of a certification users key is 1024
  bits, while the length of the key using the CA is
  2048 bits.
• Additional remarks
• The RSA asymmetric encryption algorithm
  This is a patented encryption algorithm developed
  by three Massachusetts Institute of Technology
  (USA) scholarsRivest, Shamir and Adleman.
• The length of the key The key is composed
  of randomized bits. The longer the bits, the
  longer and more secure the key (i.e. the key will
  be harder to decipher).

15
6. Operational Status of HCA

• As of December 31, 2004, 97,163 certification IC
  cards have been produced and issued, including
  
• 86,057 IC cards for medical care personnel
  (including 45,417 cards for doctors)
  
• 11,106 IC cards for medical care institutions
• The service hotline 0800-364422 (3 lines) is
  available for further inquiries.

16
7. Certification IC card issuance for medical
care personnel(1/2)

• Doctors (including practitioners of Western
  medicine, Chinese medicine, and dentistry)
  
• The HCA took the initiative to send application
  forms to these doctors nationwide (August
  2003December 2003)
  
• Reply forms have been received and 35,023 cards
  have been issued
  
• In accordance with the value-added NHI IC card
  mobilization plan, application forms were further
  sent to doctors who have not yet completed the
  application (Oct. 19, 2004)
• Reply forms have been received and 10,394 cards
  have been issued

17
7. Certification IC card issuance for medical
care personnel(2/2)

• Certification IC card issuance for medical care
  personnel
  
• Applications were opened to other medical care
  personnel during the period of Mar. 2004Dec.
  2004)
  
• 51,666 cards were issued, in accordance with the
  2004 plan, to other medical care personnel (with
  doctors applications still ongoing).
  
• 80,614 reply forms from other medical care
  personnel have been received, and 40,640 cards
  have been issued (the remaining cards will be
  issued in 2005).

18
8. Registration Authority Operators (RAO) (1/ 3)

• Registration Authority Operator (RAO)
• RAOs are certified registration windows
  authorized by the Healthcare Certification
  Authority (HCA)
  
• In accordance with the Government Public Key
  Infrastructure Certification Policy assurance
  level guidelines, the HCA provides Assurance
  Level 3 certification services. The applicant or
  his/her agent must complete the application in
  person.
• There are 79 RAOs in Health Bureaus nationwide,
  and Health Stations in Taipei and Kaohsiung City,
  as well as Taipei County.
  
• RAOs supervise the onsite identity authentication
  of medical care personnel or institutional
  applicants.
  
• Schedule for full implementation of RAOs will be
  in March 2005.

19
8. Registration Authority Operators (RAO) (2/3)

• RAO Project Tasks include
• Application and re-issuance of certification IC
  cards
  
• Extension, cancellation, and key recovery
  (institutional cards) of certification cards.
  
• Medical care certification IC card decryption
  services.
  
• Project Guidelines
• Healthcare Certification IC Card Issuing and
  Management Guidelines (draft), Registration
  Authority Operator operating procedures overview
  (draft), and other guidelines for RAO personnel.

20
8. Registration Authority Operators (RAO) (3/3)

• RAO Operating Procedures

21
9. Applications of Healthcare Certification IC
Cards (1/7)

• Benefits
• Provides confidentiality, integrity,
  authentication and non-repudiation of relevant
  information.
  
• Electronic medical records signed in accordance
  with the system policy do not have paper
  counterparts. This saves substantial time for
  accessing and transferring medical records, and
  maximizes human resource deployment, paving the
  road towards a paper-free environment.
• Access to healthcare resources can be monitored,
  ensuring the privacy of patients.
  
• Safety can be ensured for the transfer of medical
  information, reducing the possibility of waste in
  healthcare resources, and provide patients more
  convenience in receiving medical care.

22
9. Applications of Healthcare Certification IC
Cards (2/7)

• Electronic medical record exchange
• Facilitates sharing of healthcare resources and
  the implementation of patient referral systems
  
• Medical record index center
• Ensure the confidentiality of the information,
  its integrity, and the authentication of the
  identities of both parties involved in the file
  exchange
• Healthcare Information Systems
• HIS, PACS, RIS and other medical record
  electronic signature applications
  
• Intra-hospital medical personnel ID
  authentication applications

23
9. Applications of Healthcare Certification IC
Cards (3/7)

• Healthcare Project Applications
• The application of Online Birth Reporting System
  for medical care institutions.
  
• Plans for convenient online services for the
  general public
  
• Department of Health online services for the
  general public (with single sign on identity
  authentication using medical certification)
  includes online application of license for
  medical personnel, healthcare institutions, or
  healthcare advertising online physicians
  support reporting, suicide prevention reporting
  or administrative penalties reporting, etc.
• Restricted access to NHI IC Card information
  (access limited to physicians with medical
  personnel certification IC cards).

24
9. Applications of Healthcare Certification IC
Cards (4/7)

• The example of the intra-hospital HIS system
• Situations requiring the production of
  signatures
  
• Upon the completion of the doctors diagnosis
• Upon the registration of reports by medical lab
  technologists
  
• Upon treatment by nursing personnel
• All situations that currently require the signing
  of forms by physicians and medical care personnel
  shall require electronic signatures in the
  future.

25
9. Applications of Healthcare Certification IC
Cards (5/7)

• Situations requiring the authentication of
  signatures
  
• When medical disputes arise, and higher
  authorities order to send relevant medical
  records
  
• When insurance companies request medical records
  (with the patients consent)
  
• When the patient or the patients legal proxy
  files for medical record copies
  
• Other situations that reasonably require printing
  of medical records

26
9. Applications of Healthcare Certification IC
Cards (6/7)

• Electronic medical records flow chart

2
Test the chapter
1.Obtain public key 2.Utilize public key to aut
henticate signature
Access of medical records
Electronic medical records
Signature
1
Utilize private key signature stored in the IC
card
27
9. Applications of Healthcare Certification IC
Cards (7/7)

• Electronic file exchange flow chart

1. Obtain and utilize hospital Bs public key for
encryption 2. Use private key in own IC card to s
ign
1
Public key of Hospital B
1. Obtain and utilize hospital As public key to
authenticate the signature 2. Utilize private key
in own IC card for decryption
2
The materials exchanging
Signature, Encryption
Hospital A
Hospital B
28
10. Related Regulations (1/2)

• Electronic Signature Act (promulgated on Apr. 1,
  2002)
  
• According to the law, paper-based documents
  should be preserved as they are, and if contents
  remain complete and available for future
  reference, then they may be converted into
  electronic form. (Article no. 6)
• Documents that are required by law to bear
  signatures may be converted into electronic form
  with the consent of relevant personnel. (Article
  no. 9)
• Certification institutions should provide
  Certification Practice Statement, describing
  operating procedures for certification
  institutions regarding general operations and
  authentication services, which are to be
  announced on the public website of the said
  certification institution for public viewing
  after its authentication, and will thereafter be
  available for certification services. (Article
  no. 11)

29
10. Related Regulations (2/2)

• The Healthcare Certification Authority
  Certification Practice Statement were verified
  and promulgated by the Department of Commerce,
  Ministry of Economic Affairs on June 6, 2003, and
  officially enable certification services.
• Medical Care Act (revised on Apr. 28, 2004)
  Healthcare institutions that produce and store
  medical records as electronic documents shall
  avoid producing paper-based copies of these
  records. Related conditions, means of production,
  content and other requirements shall established
  by the highest healthcare authority. (Article no.
  69).

30
12. Budget

• Total of funds used by HCA (Aug. 1, 2002Dec. 31,
  2005) 89,824,661 NT dollars, averaging an
  approximate 26 million NT dollars per year.