22
CEF eID SMO The use of eID in eHealth eHealth Network meeting 7 June 2016 Amsterdam
#43C2CB
#9DE7EE
#0297A5
67 194 203
157 231 238
2 151 165
HEX RGB
# 646567 100 101 103
COLOUR PALETTE
TEXT COLOUR
HEX RGB
# FFFFFF 255 255 255
#43C2CB 67 194 203
CEF eID SMO The use of eID in eHealth eHealth Network meeting 7 June 2016
Amsterdam
Agenda
Introduction to the study
Introduction to eIDAS Regulation and CEF eID
Identification/ authentication for eHealth
use cases
Examples of MS experience
Introduction to the study
Why, what, when, where?
The use of eID in eHealth
How?
• epSOS , OpenNCP, Expand, STORK 2.0, eSENS eHealth pilot, JAseHN
Experience from previous/ongoing
initiatives:
• AT, FI, EL, IT, LU, PT, SE Selected countries
with relevant experience
• OpenNCP, eSENS eHealth pilot, JAseHN
Collaboration with:
• DG SANTE
• eIDAS Task Force/DG DIGIT Directed by
How?
eHealth & eIDAS Bringing the two worlds together!
Timeline
Introduction to eIDAS and CEF eID
• Legal framework
• Benefits
• Current situation in MS
Introduction to eIDAS and CEF eID Legal framework
• eIDAS Regulation established a legal framework and trust model for the mutual recognition of notified nationally supported eIDs across borders
By Sep 2018 public administrations who offer services that require online authentication must accept (subject to conditions) notified eIDs from other Member States
This will include public eHealth services
CEF eID: CEF provides software and support services; financially supports the deployment in MS
Introduction to eIDAS and CEF eID Benefits
SECURE CROSS-BORDER
AUTHENTICATION Cost saving
User centric
CEF Governance and operations
Flexible
Introduction to eIDAS and CEF eID Countries with implementations based on LSPs
Many Member States already have experience with cross-border authentication through the Large Scale Pilot projects
• Countries with STORK based implementation:
‒ middleware countries: AT, DE
‒ STORK 1.0: BE, CH, CZ, LV, PT, SI,
SK
‒ STORK 1 and STORK 2.0: IT, LT, LU
‒ STORK 2.0: DK, EE, EL, ES, IS, NL,
NO, SE, TR, UK
Introduction to eIDAS and CEF eID Countries in process of implementing an eIDAS compliant Node
Many Member States are already gearing up to become part of the eIDAS Network
• Countries setting-up an eIDAS compliant Node (received CEF funding in 2014):
AT*, BE, CZ*, DE, DK*, EE*, EL*, ES*,
FR, IS, IT*, MT*, NL*, NO*, PL*, SK,
SE, UK*
• Countries planning national eIDAS Node implementation:
BG, CY, FI, LT, LU, LV, RO, SI, TR
* countries that expressed intent to use CEF eID sample implementation
Identification/ authentication for eHealth use cases
• Patient Summary & ePrescription/eDispensation
• Identification needs
• Cross-border patient identification / authentication:
• How can identification be done using CEF eID?
Patient Summary & ePrescription Identification needs
• Both services require:
• Identification of the patient – to retrieve correct PS/eP information
• Identification of HCP (e.g. doctor, pharmacists)– for access to cross-border PS and eP services
• At national level in some countries eID already support the identification of both patients and HCPs (e.g. BE, LU, AT)
• For the cross-border PS/eP services CEF eID can similarly support the identification and provide secure and real-time authentication
• Main question:
• For PS/eP where is cross-border authentication needed?
Cross-border identification/authentication How is identification done today?
• The NCP architecture provides for cross-border communication and connection with national services
• Identification in the current NCP setup is handled at the source
• Identification of the patient based on:
• National Patient Search and
• National Patient ID infrastructure
• Identification of HCP based on
• National HCP authenticator and
• National HCP ID infrastructure
Cross-border identification/authentication How is identification done today?
• MS implement the identification based on their requirements: varied landscape, national requirements for levels of assurance, security, liability
• A future Multilateral Legal Agreement is being discussed in the eHealth Network for adoption in 2016
• Identification of the patient is a cross-border use case
• Identification of HCP does not occur across borders in the current setup (only national identification), however, CEF eID could be used to authenticate access of HCPs in real-time
Examples of MS experience
• Luxembourg
• Austria
• Sweden
Luxembourg
• In eHealth nationally issued eIDs (smartcards) are already used for patient and HCP identification
• Cross-border identification of patients:
• Based on national approach: an official document (passport) presented to HCP, information is matched in national systems to retrieve patientID used in NCP
• Luxembourg foresees to use eIDAS and would be able to use the national eID across borders to identify patients (and possibly HCPs)
• Health data is one of the most sensitive types of personal data, the level of assurance and security would be ‘high’
• This could be catered for under eIDAS, Luxembourg prefers this as the authentication setup under eIDAS guarantees a single secure solution that can reused across sectors, including eHealth
• The smartcard solution is still considered the most secure in Luxembourg, security is considered most important, however alternative solutions for point of care issues may be identified
Austria
• In eHealth nationally issued eIDs (both smartcard and mobile eID) are already used for patient and HCP identification (moving away from health specific cards to the common national eID)
• Cross-border identification of patients:
• The national eID schemes are already integrated with the Austrian NCP (collaboration with OpenNCP, and eSENS eHealth Pilot based on STORK 2.0 experience)
• Austria foresees that eIDAS will support the cross-border authentication of patients and possibly also for HCPs
• Specific requirements for authentication in eHealth are derived from the national eID solutions that are considered secure and level ‘high’. eHealth specific requirements are not yet clearly defined, the ongoing work of JAseHN and Multilateral Legal Agreement would be important for this
• Sector specific authentication solutions should be avoided and eIDAS should support eHealth in the long-run. Bridge actions to solve current challenges such as point of care issues are useful in the medium term
Sweden
• In eHealth the eID provided by BankID is used for identification of patients based on their social security number. For HCP identification an eID system is in place based on eHealth specific smartcards
• Cross-border identification of patients:
• Sweden piloted ePrescription across borders in epSOS (not based on eID) and expects ePrescription to go live in 2017/2018
• The eID solution (BankID) is used nationally for patient identification and will most likely be notified under eIDAS. The HCP smartcard could in principle also be notified, however, there is no decision on this currently
• Sweden considers that eID schemes will converge to the eIDAS specifications and levels of assurance, eIDAS may therefore support the identification of patients and possible HCPs in the future (for which authentication needs to be carefully considered (beyond minimal dataset))
• Specific requirements for authentication in eHealth are derived from the national eID solutions that are considered secure and level ‘high’. eHealth specific requirements are not yet clearly defined, the ongoing work of JAseHN and Multilateral Legal Agreement would be important for this
Visit the catalogue of building blocks on CEF Digital Single Web Portal https://ec.europa.eu/cefdigital
Contact us
© European Union, 2016. All rights reserved. Certain parts are licensed under conditions to the EU. Reproduction is authorized provided the source is acknowledged.
