the crossroads bank for social security, a model for the health care sector ? frank robben general...
Post on 20-Dec-2015
213 views
TRANSCRIPT
The Crossroads Bank for Social Security,a model for the health care sector ?
Frank RobbenGeneral manager Crossroads Bank for Social SecuritySint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected] CBSS: www.ksz.fgov.bePersonal website: http://www.law.kuleuven.ac.be/icri/frobben
Crossroads Bank for Social Security
2 12/06/2003Crossroads Bank for Social Security
Structure of the presentation
relevant similarities between the social security sector and the health care sector
the model of the Crossroads Bank- the overall concept- the basic building blocks
critical success factors for an implementation
3 12/06/2003Crossroads Bank for Social Security
Relevant similarities
many actors, each having their own competencies and interests
huge need for electronic exchange of sensitive personal data between those actors, with sufficient guarantees on- interoperability- efficiency- data quality- security (availability, integrity, confidentiality)
a central data storage is not possible or desirable for reasons of- privacy protection- unacceptability for the actors
4 12/06/2003Crossroads Bank for Social Security
The Crossroads Bank model
distributed data storage, conform to a functional task sharing between the actors
the use of common identification keys for every entity that has to be identified
a reference directory, serving as a base for the organization of information exchange
a common technical and functional interoperability framework
a common security framework a legal framework the creation of an institution that elaborates the vision,
stimulates, co-ordinates and manages the necessary frameworks
5 12/06/2003Crossroads Bank for Social Security
Distributed data storage
functional task sharing concerning- validation of information- storage of information
information is dynamically assembled- in function of business needs- on the initiative of the actor who needs the information or of
the concerned person- according to the authorizations - by the use of the common interoperability and security
framework
6 12/06/2003Crossroads Bank for Social Security
Common identification keys
characteristics- unicity
• one entity – one identification key• same identification key is not assigned to several entities
- exhaustivity• every entity to be identified has an identification key
- stability through time• identification key doesn’t contain variable characteristics of the identified
entity• identification key doesn’t contain references to the identification key or
characteristics of other entities• identification key doesn’t change when a capacity or a characteristic of
the identified entity changes
7 12/06/2003Crossroads Bank for Social Security
Common identification keys
concrete implementation- citizens
• social security number (national register number or CBSS-number)• (electronically) readable from the SIS-card or the electronic identity card• controlled access to basic identification data in National Register and
CBSS• Belgian Privacy Commission: in health care sector preferable use of
common identification key derived from social security number, rather than social security number itself
- enterprises, including organizations and professionals• enterprise number (based on VAT-number)• number for every plant of an enterprise• generalized access to basic identification data in the Enterprise Register
- regulation on data interconnection
8 12/06/2003Crossroads Bank for Social Security
Reference directory
serves as a base for the organization of information exchange
structure- directory of persons: which actors have data on which
persons in which capacities for which periods- data availability table: which actor disposes of which type of
data for which capacity- access authorization table: which data may be transmitted to
which actors for which capacities
functions- routing of information- preventive access control- automatic communication of changes to information
9 12/06/2003Crossroads Bank for Social Security
Interoperability framework
goal: to guarantee the ability of all actors to share information and to integrate information and business processes by the use of- interconnected physical networks- (open) technical standards- functional agreements- harmonized concepts and data modelling
10 12/06/2003Crossroads Bank for Social Security
Technical standards
Interconnection Information Exchange
ServicesRepository
TCP/IPSMTPLDAPFTPS/MIME
XMLXSLSOAPWSDLmetadata (RDF, XTM, XMI, …)
Security
Services Register (~ UDDI)Agreements (~ ebXML)PoliciesVocabularia (content + metadata)
11 12/06/2003Crossroads Bank for Social Security
Functional agreements
standardized codification standardized use of objects and attributes standardized layout of header of messages, independent from
information exchange format and type of information exchange version management backwards compatibility SLA’s on disponibility and performance of services access autorisation management anonimization rules acceptation and production environments priority management …
12 12/06/2003Crossroads Bank for Social Security
Security framework: institutional measures
no central data storage independent Control Committee, assigned by Parliament
- supervision of information security- authorizing the information exchange- complaint handling- information security recommendations- extensive investigating powers- annual activity report
publication of the authorizations of information exchange preventive control on legitimacy of data exchange by Crossroads
Bank according to authorizations of the independent Control Committee
information security department in each institution certified specialized information security service providers working party on information security
13 12/06/2003Crossroads Bank for Social Security
Security framework: extended ISO 17799 security policy security organization asset classification and control personnel security physical and environmental security computer and operations management access control system development and maintenance specific measures with regard to the processing of personal data business continuity planning compliance communication towards the public opinion concerning the
security policy and the measures with regard to security and privacy protection
14 12/06/2003Crossroads Bank for Social Security
Security framework: legal measures
obligations of the controller- principles relating to data quality- criteria for making data processing legitimate- specific rules for processing of sensitive data- information to be given to the data subject- confidentiality and security of processing- notification of the processing of personal data
rights of the data subject- right of information- right of access- right of rectification, erasure or blocking- right of a judicial remedy
penalties
15 12/06/2003Crossroads Bank for Social Security
Security framework: authentication
some basic concepts- identification: answer to the question “who are you ?”- authentication: answer to the question “can you proof who or
what you pretend to be ?”• who: authentication of the identity• what: authentication of an attribute (e.g. role, characteristic, mandate, ...)
- autorisation: answer to the question “what are you allowed to do ?”
authentication- of the identity
• electronic identity card• meanwhile, for some applications user-id – password – token
- of an attribute• stored in a database or• stored in attribute certificate
16 12/06/2003Crossroads Bank for Social Security
1234567890
SIS card: identification & proof of insurance status
• name• Christian names• date of birth• sex• social security number• period of validity of the card• card number
• sickness fund• sickness fund registration number• insurance period• insurance status• social exemption status
• other data to be added in the future, if useful
key 1
key 2
17 12/06/2003Crossroads Bank for Social Security
Electronic identity card: identification & authentication
• name• Christian names• nationality• birth place and date• sex• national register number• main residence• place of delivery of the card• period of validity of the card• card number• the photo of the holder• identity and signature keys• identity and signature certificates• accredited certification service
furnisher• information necesary for
authentication of the card and securization of the electronic data
18 12/06/2003Crossroads Bank for Social Security
Harmonized concepts and data modelling
standard elements- with well defined characteristics
- used within all services OO-oriented version management in an ever changing environment define once, use many (different presentations) workflow for validation of standard elements and characteristics multi criteria search
- by element
- by scheme
- by version
- …
19 12/06/2003Crossroads Bank for Social Security
Changes of the legal environment
organization of integrated information management and electronic service delivery- organizational principles of the co-operation- permission or obligation to use common identification keys- rights and obligations of the different actors- role of the Crossroads Bank
liability ICT-law: only basic principles, technology-neutral, but
not technology unaware- data protection- electronic signature- probative value
20 12/06/2003Crossroads Bank for Social Security
Creation of an institution (Crossroads Bank)
managed by representatives of the concerned actors tasks
- elaboration of the common vision in co-operation with the concerned actors
- stimulation- co-ordination and program and project management- management of
• the reference directory• the common interoperability framework• the common security framework• the legal framework
- harmonization of the concepts and data modelling
21 12/06/2003Crossroads Bank for Social Security
A proven model
this model has been implemented- with end-to-end integration of electronic processes between
• 2.000 public and private social security institutions• those institutions and all enterprises
- with integrated electronic service delivery via a web portal to all citizens and enterprises
170 types of structured data exchanges have already been implemented
242 million messages were exchanged in 2002 the model is mentioned as best practice in E-
government in the last 2 surveys of the European Commission
22 12/06/2003Crossroads Bank for Social Security
Critical success factors
a long term vision deliberated with the concerned actors respect of the repartition of tasks and competences between the
actors: co-operation between all actors rather than centralization of tasks
trust of all actors in the co-operation model and the security of the system
search for win-win situations sufficient financial means, skills and knowledge support of and access to policymakers at the highest level legal framework creation of an institution that elaborates the common vision,
stimulates, co-ordinates and manages the necessary frameworks