Smart Card Technology in Healthcare

1
Smart Card Technology in Healthcare

• Daniel L. Maloney
• Director, Emerging Technologies
• Department of Veterans Affairs, VHA
• Silver Spring, MD., U.S.A.
• daniel.maloney_at_med.va.gov
• http//www.va.gov/
• http//www.va.gov/card/

2
Overview

• Roles of a Card
• Security and PKI
• Major Events
• What is the VA doing?

3
(No Transcript)
4
Major Concepts

• Card functions as part of the System
• Works with the networked data
• As the Network improves, the location of the data
  can change
• Network means Local and World Wide Network
  (Internet)
• Continuum with Essential data on card
• Many applications can be supported
• What critical Business Problem do YOU need to
  solve?

5
Roles for a Card

• Multiple roles including
• Visual Identification
• Secure Storage for Keys, Data or Pointers to Data
  
• Enable portability of credentials and other
  private information between computers
• Isolate security-critical computations
• Electronic identification (Keys and certificates)
  for logical access, digital signature and
  physical access
• Electronic Payment - insurance or e-cash
• Two Keys /Cards Required model - patient and
  doctor cards to access data located either on the
  card or on the network

6
(No Transcript)
7
Major Trends

• The Web Changes Everything
• Customer Convenience /Humanize Interactions
• Electronic Service Delivery and EDI - saves time,
  money for corporation AND the customer
• Providers and patients interact from many
  locations
• Major obstacle - User authentication, Security
  and Privacy
• Major solution - Keys - Public /Private Key
  Infrastructure, encryption and Digital Signature
• Safely carry keys on smart card
• Multi-application cards reduce the cost per
  program
• Empower the User / User Opt In

8
PUBLIC KEY TECHNOLOGY

• Functions Provided
• Encryption
• Digital signature
• Advantages
• Public key is not secret, hence easier to
  distribute
• Each entity typically requires one key pair
  regardless of group size
• Can be used for source authentication
• Can be used for non-repudiation

9
PKI - BASIC PRICIPLES c

• A pair of related keys as opposed to a single key
• When either key encrypts, the other key decrypts
• The private key is closely guarded and never
  given out - PROTECT YOUR PRIVATE KEY
• The public key and who it belongs to are publicly
  available
• Each entity typically requires one key pair
  regardless of group size
• Functions include Encryption, Digital signature
  and Authentication

10
DEFINITION OF ENCRYPTION
Encryption
The process of taking a meaningful string of data
(cleartext) and converting it into an apparently
meaningless string of data (ciphertext).
Decryption
The reverse process of taking the apparently
meaningless string of data (ciphertext) and
converting it back into the original string of
meaningful data (cleartext).
11
CRYPTOGRAPHIC ALGORITHMS - PUBLIC KEY

• Public key used for encryption
• Private key used for decryption
• Public key is widely distributed
• Private key held closely by key owner
• Private key cannot be calculated from public key

Public Key
Private Key
12
Signing a Document
Requires
3
2
1
Copy of Electronic Document
Signature of Document Using Private Key
Message Digest
Message Digest Function
Digital Signature Engine
Using Private Key
Original Document
13
Verifying a Signature
Requires
Public Key (signer)
1
2
3
Copy of Original Document
Signature
Message Digest
Verification of what was signed and who signed
it

Message Digest Function
Digital Signature Engine
Using Public Key
14
Major Events

• French Patient Card
• French CPS Health Professional Card
• CardLink 9 Country Pilot Evaluation
• German Health Card
• Microsoft Expands Support for Smart Card Business
• Web Continues to Expand
• Security and Privacy are becoming a higher
  priority

15
French Health Patient Card - Vitale

• Vitale 1 being distribute now
• 42 million family cards distributed in one year
  as of 5/1999
• ID and Administrative data
• Smart card with operating system similar to M9
  used on French Bank card
• 5 million cards distributed per month from 4
  suppliers
• Role of Administrative Simplification and
  electronic based reimbursement system

16
The French Health Professional Card - Carte "CPS"

• 2 Pilots for CPS Health Professional Card
• CPS Health Professional Card with crypto chip to
  be distributed with a total of 300,000 cards
• Goals similar to patient card (simplicity,
  reliable information Confidentiality, limitation
  of frauds)
• Electronic Reimbursement
• Access key to the Healthcare Intranet
• Access key to the medical data set on the patient
  card

17
The French Health Professional Card - Carte "CPS
(contd)

• 50,000 Health Professional Cards distributed as
  of 5/1999
• 10,000 distributed each month
• currently being distributed to physicians.
• identification of healthcare provider, RSA public
  /private keys, PIN protected
• distribution to nurses, pharmacists, and
  hospitals next
• negotiations ongoing with health professional
  organizations

18
CARDLINK Project

• Portable Administrative, Emergency, Medical and
  Prescription Data - 100,000 cards
• User driven, supported by European Commission
• Interoperable European data set with language
  translation
• 10 sites in 9 countries include France Dublin,
  Ireland Germany Holland Spain Greece
  Portugal Italy Finland
• Demonstrate standards based card and reader
  interoperability with multiple manufacturers
• Measure usefulness in travel or emergency
  situations
• Begun in 9/1994, pilot to be completed in 1999
• Use of card is voluntary

19
Germany

• Germany has completed a project distributing 80
  million cards to all citizens during 1994 and
  1995, along with the reader/printer
  infrastructure
• Memory chip cards used for insurance
  identification.
• Printing of Health Insurance forms
• Options for electronic submission to insurance
  fund, eliminating paper and reducing insurance
  processing costs

20
G-8 Healthcare Data Card Project

• Members are Canada, France, Germany, Italy,
  Japan, United States (United Kingdom, Russia.)
• Two pilot areas were initially identified for a
  global project approach
• an international emergency card with an
  international harmonized emergency and
  administrative data set (CardLink Project)
• an international professional card that will
  allow the secure identification of healthcare
  professionals when accessing medical data and
  network services (NetLink Project, PKI)
• http//www.sesam-vitale.fr/Projects/Netlink-G7-En/
  

21
G-8 Healthcare Data Card Project

• Plans for Technical Interoperability - The
  functional goal is to allow data to be exchanged
  between different projects in multiple countries
  using equipment and cards from multiple vendors
• Multiple levels of standardization are required -
  Standard in areas of Nomenclature, Data Sets for
  emergency data, data sets for administrative
  data, and Standards related to various aspects of
  security
• More information and links at http//www.va.gov/ca
  rd/ and http//www.sesam-vitale.fr/Projects/Netlin
  k-G7-En/

22
NetLink Project

• The NETLINK project aims at establishing
  recommendations and technical specifications for
  
• Health Professionals to access to Patient Data
  Cards (free or controlled access to data stored
  in Patient cards)
• Health Professionals to securely exchange
  documents (including digital signature and
  confidentiality services)
• Health Professionals secure access to on-line
  servers
• Involves smart cards (used by Health
  Professionals and Patients), computers (used by
  Health Professionals, Hospitals, Health Insurance
  Funds), large networks, and Security
  architectures including data encryption
• France, Germany, Italy and the Province of Québec

23
What is the VA doing?
24
The Department of Veterans Affairs

• 27 Million Veterans and 43 Million dependents
• Nearly one-third of the nations population are
  potentially eligible for VA benefits, includes
  dependents
• Second largest of the 14 Cabinet departments
• Facilities in all 50 states, Washington D.C.,
  Puerto Rico and the Philippines
• Nations largest medical system with 159
  hospitals, 129 nursing homes, 35 domiciliaries
  and 362 outpatient clinics
• 58 regional Benefit offices providing monetary,
  disability, pension, educational and vocational
  rehabilitation benefits
• 13 million home loans, and the nations largest
  insurance programs
• 114 national cemeteries

25
Functions of VAs Public Domain Integrated
Hospital Information System (VistA / DHCP)

• Clinical and Administrative Support
• Clinical Results Reporting
• Order Processing
• Patients Medical Record
• Accounting and National Reporting
• Medical Care Cost Recovery
• Integrated Medical Images at pilot sites
• 80 Applications
• National Electronic Network for inter facility
  Communication

26
Department of Veterans Affairs - Patient Card
Upgrade

• Rollout began in Dec 1996, finished in April
  1997, Planning began in Dec 1993
• Upgrade cards from simple plastic embossed card
• New cards have printed and embossed
  information, magnetic stripe, bar code, black and
  white picture
• Function as identifier and carrier of small
  amount of information
• Speeds patient look-up on medical information
  system, allows mini registration
• Personalized at facility, 2.5 million cards first
  year
• magnetic stripe - date of birth, period of
  service and service related disabilities
• Enhancements are planned

27
The Veteran ID Card

• Photo Image
• SC Indicator
• Barcode
• Embossed Info
• Name
• SSN, DOB
• MAG Stripe
• 1-800 Number

28
Department of Veterans Affairs - Home Health
Care Initiative- Design Stage

• Store commonly needed data on card to improve
  communications between different home health care
  providers
• Always available to home health care provider
• Also to be used at Emergency rooms and health
  care providers offices
• Use of portable devices to read and update
  patient card
• Begin Summer of 1999

29
Department of Veterans Affairs - Lab Test of New
Technology

• Microsoft Smart Card for Windows Operating System
  (Beta now, projected release later in 1999)
• Workstation Development Tools
• ActiveX for Healthcare to transfer data
  bi-directionally between chip and VA VistA
  Medical Information System
• Shown at HIMSS in February 1999 in DataCard booth
  and CardTech 99 in May 1999 in DataCard and
  Microsoft booth

30
Department of Veterans Affairs - Pilot of Secure
Access from Internet

• Strong Authentication with smart card to control
  access from Internet to selected VA networked
  Resources
• Levels of Control by person, by target resource
  (system, directory, file or URL), and by protocol
• Pilot began in May 1998
• 60 users for telnet and web access
• FTP and Exchange delayed
• Plans to migrate to system that uses PKI
• Improving User Support

31
VA PKI Pilot

• Established VA wide project to investigate and
  implement VA PKI
• Steering Committee to advise project
• Participate on Federal PKI Steering Committee
• Drafting Decision documents and policy
• Initial Capabilities Demonstration
• Issuing VA Branded public keys / certificate
• testing secure electronic mail
• demonstration of PKI based access control
• demonstration of digitally signed forms and data
• supporting pilots

32
VA Electronic Purse

• Department of Veterans Affairs,
• U.S. Treasury, Nations Bank and Visa began an
  electronic purse pilot with smart cards
• Announced Phase 1 on Oct 20, 1997 at the Bronx
  Veterans Affairs Medical Center located in New
  York City
• Announced Phase 2 on Nov 24, 1997 at the Tampa
  Florida Veterans Affairs Medical Center
• 25,000 cards will be issued at Bronx and 23,000
  in Tampa
• Used by staff and patients

33
VA Electronic Purse

• Visa Cash in the hands of patients,
• physicians, visitors, volunteers and employees
• test numerous applications including
• combining identification badge and electronic
  purse
• vending machine acceptance
• integrated cash registers and terminals
• reloadable cards and
• cashless ATMs that transfer cash value onto
  reloadable cards, rather than distribute currency

34
VA Electronic Purse

• At the Bronx site,
• up to 4,000 reloadable cards used as
  identification badges.
• Approximately 10,000 cards issued for meal
  tickets, and
• 1,000 for personal patient checking accounts.
• The Tampa pilot also has a special purpose card
  to be distributed by Veterans organizations for
  special events hosted at the medical center
  throughout the year

35
Department of Veterans Affairs - VA / DoD
Multi-application Initiative- Planning Stage

• Reviewing Technical Interoperability Standards
• Reviewing Medical Emergency Data Standards
• Multi-application card
• Healthcare Functions - Identification of patient,
  data sharing and possibly electronic purse
• Select Site
• Select potential applications (registration,
  emergency, contract provider, access, finance)
• Select data fields (ID, Administration,
  Emergency, provider, treatment locations, keys
  and cash)
• Initiate Pilot in Summer or Fall of 1999

36
Summary

• National patient projects in Europe Germany,
  France, with plans in Spain, Italy and Quebec
• National Initiative for Health Care Provider Card
  in France
• Opportunities in administrative simplification,
  data transfer, improved security/ privacy, data
  access
• Multiple Chip Cards pilots in US HPP, Secure
  Telemedicine, Oklahoma, DoD MARC
• The use of chip cards are gradually becoming more
  common in North America
• Secure access and communications - NETLINK
• Next - Patient uses keys of smart card to control
  access to their record