el Credent- alssecure identity solutions

~•

Personal identity in the health sector

by Ralph Adam, freelance editor, communications & IT

"I'm just a waste of time and I can't tell what I'm good for" (From: I Think, Therefore I Am by A Moment's Worth, 2007).

Can I be you?

What is personal identity? That is 0 question which has puzzled

philosophers and social psychologists for centuries, ever since

Rene Descartes coined his famous tag Cogito ergo sum ("I think,

therefore lam"): does the fact that I exist, in itself, prove that I

con think and hove 0 permanent existence, os opposed to

'something' having different thoughts os moments change?

Consideration of what is meant by 'identity' is important for the

supply of personal services: we talk glibly of issues such os

'identity theft' without analysing what they mean. For example,

is it really possible for my 'identity' to be stolen? Or ore we, in

fact, talking about 'impersonation'? If I go on 0 phishing trip

and land your credit cord details in order to enjoy 0 shopping

spree - does that make you 0 victim of identity theft, or do you

become someone who has hod their cord details copied illicitly?

There ore many occasions when we impersonate others

legitimately or otherwise. Perhaps, pretending to be someone

else for fun. For actors, it is port of the job: spending on

evening os Henry V or Elvis Presley does not make them guilty

of stealing the King's identity! Similarly, if I enter 0 hospital

wearing 0 white coat and insist on doing 0 word round (os

someone did recently) or if I come from 0 poor country claiming

to be 0 local resident to obtain high-quality medical treatment

(possibly, using 0 stolen health card) does that make me on

identity thief? Or on impersonator?

When we refer to medical 'identity theft' we ore talking about

gaining access to medical services, money or goods through

the unauthorised use of someone's personal information, such

os their name, health insurance or social security number,

without their knowledge or permission.

74 ID c RED ENT I A L S I w w w 9 lob 0 I s n' 0 r I (0 m

What is a health service?

In discussing security in health services, we need to consider the

needs of 011the different user-groups within the system and

examine their features.

The key element of 0 health service is, of course, the patient.

Patients expect on ultra-high quality service to be provided at

little or no cost (and prefer their own financial transactions to

be handled invisibly); they anticipate treatment in clean, well-

run surgeries, clinics and hospitals by highly-prafessianal staff

who never make mistakes. They also expect perfectly-organised

record-keeping.

The second element is the staff - family and hospital doctors,

medical specialists, associated professionals, such os dentists,

opticians, pharmacists and radiographers, therapists, nurses,

midwives, information professionals, (such os librarians),

administrators (including receptionists and secretaries),

domestic staff: the list is long. Yet, 011must contribute to ensuring

o clean, efficient and secure environment. Privacy is very

important os is the need to provide on error-free service.

Confidential information must travel between 0 range of

professionals; medical records ore particularly sensitive and

everyone involved must be authenticated at every stage. This is

increasingly achieved through the use of public key

cryptography (PKI) with digital signatures and secure payment

methods.

The third element consists of the medical establishments.

Dealing with pharmacists, dentists or genera) practitioners is

relatively simple. Hospitals, however, ore not only physically

complex, but administratively and structurally complicated, too.

Increasingly so. Yet, they also ploy the most important port in 0

health service.

Other features include notional insurance systems (which

control the financial, managerial and administrative sides of the

service), the private insurance companies responsible for

reimbursing those costs not covered by the state and (perhaps,

the most powerful, but not often taken into account) the

governmental agencies, ministries and quangos that set the

rules and create operational parameters for the service.

Modern health services need increasingly to be supported by

strong authentication methods to verify that everyone involved

in the supply or receipt of health core is who they soy they are.

Hello, I'm your doctor ....

Virtually 011 governments aim to provide the highest-possible

level of universal health core, with continuous development in

medicine and technology. However, to achieve this it is olso

necessary to hove competent management. And one aspect of

health management is to ensure that expensive treatment is

received only by those who ore entitled to it. This requires the

application of new forms of technology, with many approaches

being tried - from electronic prescriptions and patient records

to telemedicine, smart cards and digital signatures, and even

implanted radio-frequency identification (RFID) chips,

supported, of course, by readers, terminals and other hardware.

The expectation that treatment will be reasonably-priced (or

free), as well as safe and efficient is a difficult aim to meet in

countries, such as Germany, where the administration and

management are cumbersome and bureaucratic. However, the

cost of providing good health services, in a challenging

economic environment, is rising everywhere as people require

more (and increasingly expensive) treatment during longer life-

spans. It is the rising cost of treatment, plus variations in its

quality between countries, that has led to an upsurge in identity

'theft'. This is becoming an important issue: unqualified people

posing as practitioners or foreigners claiming entitlement to free

services are just two examples.

While the British health services are built on the principle of

providing comprehensive care based on clinical need, not

ability to pay (but with hospital charges for non-residents), press

reports suggest that, in England, 'health tourists' currently owe

£40m. for treatment (with one London hospital group reportedly

owed over £8m.): much of this is written off, while other debts

are left unrecorded. A BBC television progromme revealed a

black market serving foreign patients keen to buy their way on

to doctors' lists. Concern about entitlement to treatment is on

the increase, especially in countries where costs are high and

where insuronce companies devise ever-stricter techniques to

cut reimbursements.

This is a particular problem in the US, with ,its fragmented (and,

in some States, old-fashioned) system. That is despite the

existence of the strictly-enforced Federal Privacy and Security

Rules under the HIPAA (Health Insurance Portability and

Accountability Act) specifying administrative, physical, and

=---J _ www q l o b o l s rn c r r om I ID CREDENTIALS 75

1010110101 1

1101101

110) 1 01 q L_~-..cl£:>o,e:.....--'

Erika MU5terma~~23456789106415300 :-_--,.,.. vers1<he""'9"'----""'.--

technical safeguards to ensure the confidentiality, availability

and integrity of electronic health information.

Medical information differs from other forms of personal data

in that, once it has been compromised or has fallen into the

wrong hands, that loss cannot be reversed. It is easy to see that

such fraud con hove devastating effects - the consequences con

be fatal or, in lesser cases, victims may be affected for the rest

of their lives. A patient whose medical record is replaced by

someone else's could be put in danger if they receive the wrong

treatment or ore given inappropriate drugs. In addition, they

may suffer financial loss if they, or their insuronce company, is

billed for another person's treatment. Damaging reputational,

financial and legal consequences con also follow for hospitals

or doctors if patients ore wrongly treated. Medical records

(especially electronic ones) contain highly-sensitive personal

information and require the highest levels of accuracy and

integrity - supported by the strongest authentication. That

implies strict access controls. Electronic tronsactions depend on

on individual's proof of identity and right of access to data,

whether in person or remotely. To protect electronic healthcare

systems, it is necessary both to verify the identity of anyone

requesting access to sensitive medical data and to determine

that person's access rights. We must know with certainty to

whom we ore entrusting our private information.

" Transaction records, including those forstaff, patients, prescriptions, finance andaccess, form another area that is crucial forthe security of health services. Their existencealso implies the need for the creation ofeffective security layers similar to thoseneeded for bank cards and near-fieldcommunication (NFC). "

... or your new patient!

One US doctor, Sean Scorvo, who writes 0 regular blog,

suggests that 0 significant proportion of the patients seen by

casualty departments use fraudulent or stolen identities. He

claims that, while some ore there to receive unauthorised health

care, others try to obtain drugs either using another person's

'identity' or a mode-up one, with the result that individual

hospitals ore losing between $750,000 and $3m. annually. This

is supported by figures from official US bodies suggesting that

3% of 011 health core spending is lost to fraud each year, with 0Harris Interactive poll estimating that nine million adult

Americans, or four per-cent of the population, believe they or

o family member hove lost confidential personal medical

information or suffered from information theft.

For Scorvo, the most intractable problem relates to drug-

seeking: patients have used the addresses of, for example, local

grocers' shops (showing receipts os evidence) with the truth

being discovered only after shop-keepers complained about

76 ID c RED ENT I A L S I w w w 9 ') b 0 S m 0 ri, "

unexpected bills! Further examples include people who are well-

known to hospital staff, yet claim never to hove been treated

before (and use hitherto unknown names and addresses) or

others who, having 'stolen' friends' personal details, do things

like adding blood to their urine in order to demand treatment

for kidney stones.

The electronic backbone

The technology must guarontee confidentiality for patients and

staff, os well os ensuring that records cannot be altered or

repudiated so as to maintain their integrity. Health services are,

by their nature, complex and each user group (patients, service

suppliers, professionals and administrators) requires a different

level of identification and authentication.

Tronsaction records, including those for staff, patients,

prescriptions, finance and access, form another area that is

crucial for the security of health services. Their existence also

implies the need for the creation of effective security layers

similar to those needed for bank cards and near-field

communication (NFC). Countries with sophisticated large-scale

electronic record systems (such as France, Germany and

Taiwan) have taken different approaches to security as well as

the necessary software and terminals. It is useful to compare

some of the strategies used. Here are three large-scale

examples of developments in Europe that are based on secure

transactions technology, focused on the management of

financial flows:

Electronic health services in practice

France is considered to have Europe's highest-quality health

service and the most sophisticated smart-card technology

(deployed in health care since the early nineties). SESAM-Vitale

is 0 service aiming eventually to become poperless. Around

300,000 professionals participate in it, with the insurance side

handling 1,000m. refund claims annually.

At the its heart of the system are two cards: patients receive the

Carte Vitale 2, a second-generation chip card containing health

and insurance data for the holder and his or her dependents. It

includes enhanced security features, such as a new operating

system, cryptographic capabilities and enhanced memory.

Eventually the card will hold health and insurance data, as well

as prescriptions, with administrators and health professionals,

including pharmacists, having readers. Vitale 2 is key to the new

Personal Health File ("dossier medical personnolise"] and

numerous potential applications ore also linked to its IAS

(Identification, Authentication, Signature) features.

For health service staff, there is a Carte de Professionnel de

Sonte (CPS): a contactless code-protected electronic identity

card, with strong authentication, containing the holder's

personal details (including electronic signature), profession and

specialism as well as his or her workplace details. It provides

for the transmission af treatment forms to insurance providers,

the creation, revision and consultation of patients' records, has

telemedicine features and gives secure access to messaging

services.

Germany, too, has recently intraduced a second-generation

electranic health cord with secure authentication: the

Elektranische Gesundheitskarte. This replaces the five-year card

in use since the early nineties and is tied to insurance

companies. As well as a photo, it carries basic personal details.

With the patient's consent, additional information can be

stored, such os emergency data and medicines, allergies or

drug intolerance. In the future, the card will facilitate the

exchange of information. Its chief benefits include the prevention

of unnecessary medical examinations and the online updating

of administrative data.

Following a crisis in the health service and a change of federal

government in the autumn of 2009, the whole of the German

e-health infrastructure, including the e-cord project, was

reappraised with 0 stronger emphasis on security and

confidentiality. As 0 result, specific responsibilities were given to

individual organisations, such os insurance companies, with key

elements now being the anline verification of patients' insurance

status, and ensuring that insurance information is up-to-date -

this includes the data set of the European Health Insurance

Card (EHIC). Planned additional features include on

emergency-care data-set for patients as well os facilities for

direct communication between doctors (electronic discharge

information). Plans for electronic prescriptions have been

delayed by the health ministry until it is satisfied by the level of

data-protection. Plans for the development of telemedicine

services have also been announced. In 2010, the Federal

Ministry of Health launched an "e-heolth-initiotive", uniting key

players in the healthcare system: doctors, insurers, the

Fraunhofer Gesellschaft (Europe's largest application-orientated

research organisation) and other relevant bodies.

Estonia is 0 small EU member state (population 1.3m.). It is

one of the most wired and high-tech societies, where electronic

services (branded E-Estonia) ore the norm (mobile phone

payments for parking have been commonplace for many years,

digital administrative services are considered standard, voting

is done over the web, legal documents can be signed using

mobile phones and over 95% of the population is claimed to

use internet banking); Skype was invented by Estonian

developers. At the base is 0 compulsory digital ID cord (the

primary document for the purposes of personal identification),

containing two certificates: one authenticates identity, the other

renders a digital signature.

Estonia uses a medical information system allowing residents to

view their own medical histories. The digital prescription service

was introduced in 2010, replacing the need for patients to carry

paper documents (which were easily lost and might contain

illegible doctors' handwriting!) to the pharmacy. All prescriptions

are sent to a central database from which the pharmacist

downloads the details.

The system contains information on diagnoses, doctor's visits,

tests, hospital treatments and discharge letters, prescriptions,

and much more. It is compulsory for medical professionals to

add information to the database; authentication is confirmed

using the ID card. The service is accessible only to licensed

professionals, while patients (who con access all their medical

data, such as discharge letters, ambulatory care summaries and

test results as well os on-line booking services, through a

hospital information portal called I-patient) have the right to

block access to their data. Patients can also state their

preferences and intentions or view logs to see who is accessing

their files. They do not, however, have the right to opt-out of

having their data added to the central information bank. All

attempts to view health care data ore also monitored by the E-

health foundation which takes instant action if unlawful access

to the data is suspected.

A single digital health community?

In each of the cases mentioned, the complexity of electronic

health services is recognised as new applications are

developed: terminals and readers provide an essential security

layer to meet the needs of each function, ensure seamless

integration within work flows and guarantee security and

confidentiality for both professionals and patients.

Several EU projects are contributing to the development of 0

secure cross-border health system - for example, SSEDIC

(Scoping the Single European Digital Identity Community - a

thematic network for the Digital Agenda for Europe), STORK

2.0 (Secure Identity Across Borders Linked 2.0 - aimed at

creating a single European electronic identification and

authentication area while promoting the uptake of electronic

identity management) and the ClP-ICT PSP (the ICT Policy

Support Programme for the Competitiveness and Innovation

framework Programme) which is intended to ensure the

interoperability of electronic health systems both across and

within Member States in order to de-fragment the market.

Yet, many questions remain unanswered. For example, what is

the role of biometrics in health care identity verification - will

patients and staff accept its use? We have learnt recently that

in English hospitals many staff are unwilling to go through

identity checks on foreign-born patients before treating them.

This leads to questions of human rights: is it discriminatory to

charge 0 'health tourist' for services that would be provided free

to 0 resident? And does such discrimination encouroge fraud?

Assuming, of course, that we 011 hove personal identities!

For further information email: sd324@hotmail.co.uk

w w w gob 0 I s m 0 r t C 0 m I I 0 C RED ENT I A L s 77