Ehealth Conference 2007 Berlin April 17th-19th 2007 THE FRENCH «DOSSIER MÉDICAL PERSONNEL» (DMP) MAIN INFRASTRUCTURAL FEATURE: SECURITY AND INTEROPERABILITY Manuel METZ GIP DMP - France
DMP: a French national ehealth record DMP (Dossier Médical Personnel) will be: a private medical file digitalised aimed at favouring coordination, quality and continuity of care; a file shared by Healthcare professionals (HCP) but under the holder's control (i.e. The patient manages its access, the holder can hide documents...) not a substitute for professional files of HCP in ambulatory care or in Hospital accessed through : Web Portal for holder's Only through professional application for Healthcare professionals to maximize ergonomy and avoid time-consuming change of application consisting of data (structured or not) signed by the author (at first only by the HCP) ehealth Conference Berlin April 2007 2
DMP: A health record needing adequate protection As a health record, the DMP needs to be: Available Opens 7/24 Availability 99,9% (total amount of interruption of 8 hours a year) Protective of data integrity and confidentiality Protected communications (SSL) Restrictive access to a DMP (esafe, HCP rights defined by law) Separation of trusted services (authentication) and data housing Good level authentication * Caisse des Dépôts et Consignations is a state-owned financial institution that performs public-interest missions on behalf of France s central, regional and local governments. ehealth Conference Berlin April 2007 3
Overview of user authentication for DMP V1 HCP's authentication Holder's authentication (a) Authentication through HCP smart card (either server or personal certificate cf. Slide 7) (1) Password previously chosen by the holder (2) One time password sent through SMS to the holder (3) Completion of authentication through the one time password provided (b) Connexion through a SAML assertion given by the portal (4) Connexion through a SAML assertion given by the portal ehealth Conference Berlin April 2007 4
Overview of user authentication for DMP V2 HCP's authentication (a) Authentication through own HCP smart card (personal certificate) Holder's authentication (1) Authentication through patient smart card (personal certificate) (b) Connexion through a SAML assertion given by the portal (2) Connexion through a SAML assertion given by the portal ehealth Conference Berlin April 2007 5
DMP: A personal record controlled by its holder All data in the record must be available to the holder The holder is entitled to write personal data in the record (but not to modify data produced by a healthcare professional) The holder can complement the default rights of access by denying access to specific healthcare professional The patient can hide any document and nothing indicates to target healthcare professional that some documents have been hidden ehealth Conference Berlin April 2007 6
Holder's control on his/her DMP (1) The holder allows named HCP to access his/her DMP (2) The holder can hide named documents from various types of HCP except their author Emergency services and main doctor may override those restrictions ehealth Conference Berlin April 2007 7
Effect of holder's control on his/her DMP 1/3 (1) HCP α is authenticated and authorized to access the DMP of holder Z (2) HCP α can see all the documents of the DMP of holder Z ehealth Conference Berlin April 2007 8
Effect of holder's control on his/her DMP 2/3 (1) HCP β is authenticated but not authorized to access the DMP of holder Z ehealth Conference Berlin April 2007 9
Effect of holder's control on his/her DMP 3/3 (1) HCP γ is authenticated and authorized to access the DMP of holder Z (2) Document C is hidden to HCP γ ehealth Conference Berlin April 2007 10
DMP: A record used by numerous actors ehealth Conference Berlin April 2007 11
Levels of interoperability Interoperability is required on several levels and addressed through specified implementation of norms and standards: Medical application level: HL7, DICOM, CDA, HPRIM... Authentication level: use of HCP smart card and eventually patient s smart card Exchange level: IHE XDS Transport level: HTTP and SOAP over SSL and eventually WS A framework specifying each level will be published to insure interoperability of each component. ehealth Conference Berlin April 2007 12
Conclusion DMP: a large scale project which success depends on trust and interoperability. The DMP will only be used if it is trusted by the users: Trusted by the holder: confidentiality and control Trusted by the HCP: integrity and traceability (=> digital signature) The DMP will only be successful if it achieves critical mass of ehealth records housed: Broadly used standards (HTTP, IHE...) favouring an easy access ehealth Conference Berlin April 2007 13
THANK YOU VERY MUCH www.d-m-p.org manuel.metz@sante.gouv.fr ehealth Conference Berlin April 2007 14