The Crossroads Bank for Social Security,a model for the health care sector ?

Frank RobbenGeneral manager Crossroads Bank for Social SecuritySint-Pieterssteenweg 375B-1040 BrusselsE-mail: Frank.Robben@ksz.fgov.beWebsite CBSS: www.ksz.fgov.bePersonal website: http://www.law.kuleuven.ac.be/icri/frobben

Crossroads Bank for Social Security

2 12/06/2003Crossroads Bank for Social Security

Structure of the presentation

relevant similarities between the social security sector and the health care sector

the model of the Crossroads Bank- the overall concept- the basic building blocks

critical success factors for an implementation

3 12/06/2003Crossroads Bank for Social Security

Relevant similarities

many actors, each having their own competencies and interests

huge need for electronic exchange of sensitive personal data between those actors, with sufficient guarantees on- interoperability- efficiency- data quality- security (availability, integrity, confidentiality)

a central data storage is not possible or desirable for reasons of- privacy protection- unacceptability for the actors

4 12/06/2003Crossroads Bank for Social Security

The Crossroads Bank model

distributed data storage, conform to a functional task sharing between the actors

the use of common identification keys for every entity that has to be identified

a reference directory, serving as a base for the organization of information exchange

a common technical and functional interoperability framework

a common security framework a legal framework the creation of an institution that elaborates the vision,

stimulates, co-ordinates and manages the necessary frameworks

5 12/06/2003Crossroads Bank for Social Security

Distributed data storage

functional task sharing concerning- validation of information- storage of information

information is dynamically assembled- in function of business needs- on the initiative of the actor who needs the information or of

the concerned person- according to the authorizations - by the use of the common interoperability and security

framework

6 12/06/2003Crossroads Bank for Social Security

Common identification keys

characteristics- unicity

• one entity – one identification key• same identification key is not assigned to several entities

- exhaustivity• every entity to be identified has an identification key

- stability through time• identification key doesn’t contain variable characteristics of the identified

entity• identification key doesn’t contain references to the identification key or

characteristics of other entities• identification key doesn’t change when a capacity or a characteristic of

the identified entity changes

7 12/06/2003Crossroads Bank for Social Security

Common identification keys

concrete implementation- citizens

• social security number (national register number or CBSS-number)• (electronically) readable from the SIS-card or the electronic identity card• controlled access to basic identification data in National Register and

CBSS• Belgian Privacy Commission: in health care sector preferable use of

common identification key derived from social security number, rather than social security number itself

- enterprises, including organizations and professionals• enterprise number (based on VAT-number)• number for every plant of an enterprise• generalized access to basic identification data in the Enterprise Register

- regulation on data interconnection

8 12/06/2003Crossroads Bank for Social Security

Reference directory

serves as a base for the organization of information exchange

structure- directory of persons: which actors have data on which

persons in which capacities for which periods- data availability table: which actor disposes of which type of

data for which capacity- access authorization table: which data may be transmitted to

which actors for which capacities

functions- routing of information- preventive access control- automatic communication of changes to information

9 12/06/2003Crossroads Bank for Social Security

Interoperability framework

goal: to guarantee the ability of all actors to share information and to integrate information and business processes by the use of- interconnected physical networks- (open) technical standards- functional agreements- harmonized concepts and data modelling

10 12/06/2003Crossroads Bank for Social Security

Technical standards

Interconnection Information Exchange

ServicesRepository

TCP/IPSMTPLDAPFTPS/MIME

XMLXSLSOAPWSDLmetadata (RDF, XTM, XMI, …)

Security

Services Register (~ UDDI)Agreements (~ ebXML)PoliciesVocabularia (content + metadata)

11 12/06/2003Crossroads Bank for Social Security

Functional agreements

standardized codification standardized use of objects and attributes standardized layout of header of messages, independent from

information exchange format and type of information exchange version management backwards compatibility SLA’s on disponibility and performance of services access autorisation management anonimization rules acceptation and production environments priority management …

12 12/06/2003Crossroads Bank for Social Security

Security framework: institutional measures

no central data storage independent Control Committee, assigned by Parliament

- supervision of information security- authorizing the information exchange- complaint handling- information security recommendations- extensive investigating powers- annual activity report

publication of the authorizations of information exchange preventive control on legitimacy of data exchange by Crossroads

Bank according to authorizations of the independent Control Committee

information security department in each institution certified specialized information security service providers working party on information security

13 12/06/2003Crossroads Bank for Social Security

Security framework: extended ISO 17799 security policy security organization asset classification and control personnel security physical and environmental security computer and operations management access control system development and maintenance specific measures with regard to the processing of personal data business continuity planning compliance communication towards the public opinion concerning the

security policy and the measures with regard to security and privacy protection

14 12/06/2003Crossroads Bank for Social Security

Security framework: legal measures

obligations of the controller- principles relating to data quality- criteria for making data processing legitimate- specific rules for processing of sensitive data- information to be given to the data subject- confidentiality and security of processing- notification of the processing of personal data

rights of the data subject- right of information- right of access- right of rectification, erasure or blocking- right of a judicial remedy

penalties

15 12/06/2003Crossroads Bank for Social Security

Security framework: authentication

some basic concepts- identification: answer to the question “who are you ?”- authentication: answer to the question “can you proof who or

what you pretend to be ?”• who: authentication of the identity• what: authentication of an attribute (e.g. role, characteristic, mandate, ...)

- autorisation: answer to the question “what are you allowed to do ?”

authentication- of the identity

• electronic identity card• meanwhile, for some applications user-id – password – token

- of an attribute• stored in a database or• stored in attribute certificate

16 12/06/2003Crossroads Bank for Social Security

1234567890

SIS card: identification & proof of insurance status

• name• Christian names• date of birth• sex• social security number• period of validity of the card• card number

• sickness fund• sickness fund registration number• insurance period• insurance status• social exemption status

• other data to be added in the future, if useful

key 1

key 2

17 12/06/2003Crossroads Bank for Social Security

Electronic identity card: identification & authentication

• name• Christian names• nationality• birth place and date• sex• national register number• main residence• place of delivery of the card• period of validity of the card• card number• the photo of the holder• identity and signature keys• identity and signature certificates• accredited certification service

furnisher• information necesary for

authentication of the card and securization of the electronic data

18 12/06/2003Crossroads Bank for Social Security

Harmonized concepts and data modelling

standard elements- with well defined characteristics

- used within all services OO-oriented version management in an ever changing environment define once, use many (different presentations) workflow for validation of standard elements and characteristics multi criteria search

- by element

- by scheme

- by version

- …

19 12/06/2003Crossroads Bank for Social Security

Changes of the legal environment

organization of integrated information management and electronic service delivery- organizational principles of the co-operation- permission or obligation to use common identification keys- rights and obligations of the different actors- role of the Crossroads Bank

liability ICT-law: only basic principles, technology-neutral, but

not technology unaware- data protection- electronic signature- probative value

20 12/06/2003Crossroads Bank for Social Security

Creation of an institution (Crossroads Bank)

managed by representatives of the concerned actors tasks

- elaboration of the common vision in co-operation with the concerned actors

- stimulation- co-ordination and program and project management- management of

• the reference directory• the common interoperability framework• the common security framework• the legal framework

- harmonization of the concepts and data modelling

21 12/06/2003Crossroads Bank for Social Security

A proven model

this model has been implemented- with end-to-end integration of electronic processes between

• 2.000 public and private social security institutions• those institutions and all enterprises

- with integrated electronic service delivery via a web portal to all citizens and enterprises

170 types of structured data exchanges have already been implemented

242 million messages were exchanged in 2002 the model is mentioned as best practice in E-

government in the last 2 surveys of the European Commission

22 12/06/2003Crossroads Bank for Social Security

Critical success factors

a long term vision deliberated with the concerned actors respect of the repartition of tasks and competences between the

actors: co-operation between all actors rather than centralization of tasks

trust of all actors in the co-operation model and the security of the system

search for win-win situations sufficient financial means, skills and knowledge support of and access to policymakers at the highest level legal framework creation of an institution that elaborates the common vision,

stimulates, co-ordinates and manages the necessary frameworks

Th@nk you !

Crossroads Bank for Social Security