InterComponentWare Bulgaria

1
InterComponentWare Bulgaria

• 31 August, 2007
• Dimitriy Trifonov, Technical Lead, ICW Bulgaria

2
Pilot Project Bulgaria

• Introduction of Electronic Health Cards
• and e-Prescription Service
• General overview

3
Scope of the project

• Participants
• 7 GPs
• 4 Pharmacies
• National Health Insurance Fund
• Approximately 1000 patients (included in the
  patient lists of the listed 7 GPs)
• Infrastructure
• Network (including internet connection) between
  the NHIF and the different groups of MSPs
• VPN connections for the participants in the
  project
• Secure access to the relevant data
• Specific solutions related to e-card
  introduction
• Software applications CAMS, GP software,
  Software for pharmacies, Software for NHIF
  related information, Software for medical NTBA
  (ICW Connector), Software for Prescription server
• Hardware equipment Servers, connectors,
  routers, VPN concentrator, card terminals,
  workstations

4
Business processes and functionalities

• GP praxis
• Patient and GP authorization
• Access to patient data after automatic card
  update
• Checking the insurance status of patients and
  their assignment to the GPs
• Issue and signing of e-prescription
• Pharmacy
• Patient and Pharmacy authorization
• Access to prescription server and checking the
  prescriptions
• Notification with signature of the dispensed
  prescriptions to the server and in the patient
  profile
• NHIF
• Updating the patient lists and the insurance
  status of patients
• Reports of the dispensed prescriptions per
  patient or per pharmacy

5
Partners and responsibilities in the project

• 1. Main partners Cisco Systems and Kontrax
• 2. Responsibilities
• A) ICW the system integrator in the project
  and the main vendor of software solutions
  standard software and / or localized solutions,
  CAMS, SDK, Prescription SW, Medical NTBA SW
• B) Cisco Systems network and infrastructure
  for the project
• C) Kontrax - issue of e-cards, software
  integration to the GPs, training the medical
  services providers, services after delivery the
  system (maintenance)
• D) Other partners
• Oracle - licenses
• ASSystems - software integration to the
  Pharmacies
• Libra AG - software integration to the Pharmacies
• Sagem Orga - cards

6
E-card project general overview of the project
7
Medical NTBA (ICW Connector)

• SDK to Connector uses HTTPS, HTTP over a TLS
  (Transport Layer Security) protected channel to
  encrypt all traffic
• Card Terminals to Connector and vice versa uses
  TLS
• Connector to backend services uses TLS with
  client and server side authentication (so both
  the connector through the use of the physician's
  card as well as the server must prove to one
  another that they have valid certificates to
  prove their identity)
• Connector
• Network Level the connection to backend systems
  is encrypted via two VPN tunnels. The first one
  is an IPSec tunnel with certificates and the
  second one is a L2TP tunnel with
  username/password authentication against a
  RADIUS-Server in the backend (reachable via the
  first IPSec tunnel).
• Application Level the connections to backend
  services are SSL encrypted and transmitted to
  backend via the above mentioned VPN tunnels on
  network level
• All prescriptions and dispensations must be
  signed electronically by the physician,
  respectively the pharmacist using
  cryptographically strong digital signatures.
  Unsigned prescriptions and dispensations will not
  be stored on the card or backend services.

8
Trusted Viewer

• Connector to Trusted Viewer TLS Session (TV
  acting as server, IP address port are
  configured in the connector's web admin)
• displays list of documents that will be signed -
  user can (de-) select individual documents
• displays information on the certificate(s) used
  for signing
• user can display each (X)HTML document itself
  before signing

9
e-Prescription Server

• Connector to backend services uses TLS with
  client and server side authentication (so both
  the connector through the use of the physician's
  card as well as the server must prove to one
  another that they have valid certificates to
  prove their identity)
• Connector to prescription server connections are
  tunneled over a VPN which uses a L2TP tunnel
  within an IPSec tunnel for encrypting all traffic
  (again)
• Each access to the prescription server is audited
  in a separate database to allow full auditing

10
Insurance Card Module (ICM)

• The ICM contains two components which are called
  CRP and CSM.
• CRP (Card Request Processor)
• The Web UI that the CRP exposes uses HTTPS (with
  TLS) to encrypt all traffic.
• The Web UI access is restricted (the Apache
  authentication functionality is used to prohibit
  access to individual files or directories and
  which is used to secure the interface.
• The CRP has no other channels to the outside
  world.
• CSM (Card Sync Manager)
• The CSM uses HTTPS (with TLS) to communicate with
  the connector
• The CSM establishes a secure (encrypted) channel,
  over HTTPS, with the card that is being updated
  as an additional layer of security.
• The card specific SK.VSDD will be generated in
  time while an update is requested and the card
  contacts the field system. So that key is not
  stored within the database.

11
Cards

• SagemOrga eHC5 are used within the Bulgarian
  Pilot Project. These cards allow the following
  security features
• Key generation on card
• User Authentication
• Secure Messaging
• Multiapplication Firewall
• Advanced access rules compliant to ISO 7816-9
• Digital Signature

12
Check patients contract data
1. Request patient data
2. Transfer patient data
3./ 7a. Presenting patient data
7b. Update contract data
Patient
4.Requests valid Patient data
6. Transfer valid patient data
5. Forward request to validate patient
data
Physician
8. Checks patient insurance status

• Patient data
• Patient name
• -Patient address
• -Insurance status
• -Patient assignment

13
Create an ePrescription
1a. Successful authorization by Physician
1b. Successful authorization by Patient
2. Create ePrescription
Physician
Patient
3. Transfer ePrescription
4. Sign ePrescription
Prescription Info - Prescription ID - ..
5a. Store signed ePrescription on
server
5b. Store ePrescription INFO on patient
card
5c. Print ePrescription for the patient
14

• QUESTIONS?

15
Thank you for your attentionfor additional
informationplease contactDimitriy.Trifonov_at_icw-
global.com