- 1: epSOS Home.
- 2: About epSOS.
- 3: Project Structure & Results.
- 3.1: Work Package 1.1.
- 3.2: Work Package 1.2.
- 3.3: Work Package 1.3.
- 3.4: Work Package 2.1.
- 3.5: Work Package 3.1.
- 3.6: Work Package 3.2 .
- 3.7: Work Package 3.3.
- 3.8: Work Package 3.4.
- 3.9: Work Package 3.5.
- 3.10: Work Package 3.6.
- 3.11: Work Package 3.7.
- 3.12: Work Package 3.8.
- 3.13: Work Packages 3.9 and 3.10.
- 3.14: Work Package 4.1.
- 3.15: Work Package 4.2.
- 3.16: Work Package 4.3.
- 3.17: Work Package 4.4.
- 3.18: Work Package 5.1.
- 3.19: Work Package 5.2.
- 3.20: Work Package 5.3 .
- 4: epSOS Countries.
- 5: Large Scale Pilot.
- 6: FAQ.
- 7: News & Events.
- 8: Press section.
- 9: Links & Collaborations.
- 10: Download Area.
- 11: Glossary.
| Title: | Final Identity Management Specification Definition |
|---|---|
| Author: | Gottfried Heider |
| Work Package: | 3.6 |
| Working Task: | 3.6.2 |
| D3.6.2: | Final Identity Management Specification Definition |
Final Identity Management Specification Definition
Summary
The main function of the epSOS LSP environment is to provide patient health data stored in the patient’s home country ('Country A') to a Health Care Professional providing health service in a foreign country ('Country B').
According to the ISO standard ISO/IEC CD 24760, 'Identity Management' refers to the issuance, administration, and identification of entities that fall into a particular category.
'Identity Management' is therefore a crucial element of network systems, and requires that users and their roles must be identified and confirmed. This applies especially to an epSOS LSP, where a patient and a 'Health Care Provider' build a trusting relationship. Being able to rely on personal and related health data is one of the most important aspects to ensuring that medical care is carried out properly and with trustworthy information.
As described in 'Annex I' identification is a vital element of the epSOS LSP:
“Proved identification of persons is one of the basic requirements for the access of person related health data on the regional, national and also multinational level in the European context. (…) Proper person identification has to be solved both on a national and a multinational level, before a user can access even one set of individual health data cross-border. The challenge is to identify internationally compatible and interoperable solutions on three levels:
- Person identification / patient identification,
- Health Care Provider identification incl. identification of persons (health professionals) working in organisations with more than one employee,
- Legal management: definition of rights, definition of rules and procedures for health professionals.”
Based on this description, the declared objectives of WP 3.6 were to develop processes for:
- Identification and authentication of patients and Health Care Providers
- Authorisation of Health Care Providers
- Patient consent
- Audit Trail.
The development of these processes is based on the functional requirements of other Work Packages in the epSOS LSP (mainly WP 3.1 and WP 3.2). The instructions of WP 2.1 (dealing with national security policies and patient privacy policies) are taken in consideration, as well as the right of patients to make autonomous decisions.
The complexity of multilateral identity management is emphasized by the following two opposing starting points:
- Keeping the interference with already-installed systems in MSs to a minimum, and
- Taking into consideration that most of the steps of the designed processes have to be included in national infrastructures.
With this in mind, the design of the necessary processes for identification and authentication of patients and HCPs supports the participating Member States in creating, or easily adapting, processes within their own infrastructures, which are fully compliant with the goals of the LSP. This is achieved by presenting different variants and options for these processes, which are all comparable and equally valid. Many of the necessary steps or parts of the identification and authentication processes are based on technologies, which are commonly used right now.
The actual progress of comparable EU-Projects and LSPs for cross-border identification and authentication was investigated before the design process within WP 3.6 was started, and possible future synergies have been analyzed. The most challenging and complex topic is the bilateral authorisation of HCPs to access patient’s health data abroad. Due to the fact that national laws and regulations differ significantly regarding some important issues, a number of final decisions have to be postponed until the piloting phase.
There are still a number of unanswered questions and open issues concerning the handling and management of patient consent, which makes further investigations, analyses and agreements necessary. This is an ongoing process driven by WP 2.1. Nevertheless, WP 3.6 proposes processes and requirements for Member States on a commonly understood and agreed basis.
Descriptions of the mentioned processes and their possible variants are presented in more detail in the following chapters of this document.
The outcome of the described processes is listed in chapter 16 (Annex I ‘Overview about requirements/recommendations and responsibilities’) as requirements and recommendations, which should be implemented by those responsible.