As a focus area of interest for the Silicon Trust in 2010, representatives from the organization’s Executive Committee: Gemalto, Giesecke & Devrient and Infineon Technologies, came together I a live panel debate to discuss some of the key topics surrounding eHealth applications in the current market. 

Axel, could you give us your opinion on some of the main drivers for eHealth applications?

AV: From our understanding and past experience, we notice that health systems and the communication of doctors are based on different media – this is one driver that I will explain later. One main driver is the quality of patient treatment – better quality of treatment can be achieved if the doctor knows the full patient history.  A second driver, which we especially have in Germany, is fraud.  ID cards are very simple and a stolen eHealth card can be used without anyone checking the authenticity.  Another driver, as I mentioned earlier, is the administration process – there are complex paper based communication processes, even though most practices should now be computer based. I therefore think that the administration process needs to be updated to a paperless workflow.   

And following on from that, if we look at the paperless workflow - Tolga, maybe you could give us an update on the data management side of things?  

TY: Obviously there are different sets of data involved in a typical healthcare project, depending on the country, type and amount of data, so it’s difficult to give a mainstream solution.  I could give you an example of two different extremes: one extreme is that there is a minimum amount of data on a card and most of the data is stored in the background system, and the card is only a key to access the system. The other extreme is, that there is more storage on the local medium, like a card or USB stick, where there is no limit - you can store as much as you want including full medical history, but of course that might be sensitive information too. So these two extremes exist and the solution is normally a customized one according to the needs, requirements and laws of the countries.  

If we look at ePassports for example, there is some rigorous standardization involved as it’s a global product and everything has to work together – do you see the same issues in eHealth? Stéfane, maybe you can answer this…  

SM: First of all standardization is really important for guaranteeing the interoperability in one given system.  Knowing that the first interoperable need is on a national level to guarantee that the ecosystem is connected in the right way – I mean the doctors, pharmacy, hospital and the health insurance.  So it’s really important to have a national standard and today this is mostly the case, thanks to ISO or national organizations. Currently, the next step is on a European level to ensure the quality of citizens’ health insurance even when abroad. We see that European standards are popping up and the CEN, which is a European standardization committee, already published some standards for interoperability called eEHIC, for European Health Insurance Cards. They are already available and already implemented, because we have seen some European projects, for example Netc@rds, which is a consortium of 16 health insurers in Europe, contributing to this ambitious project.  They are already creating a framework for interoperability based on these eEHIC standards, to guarantee that the French citizen who visits Germany can use his French eHealth card to prove that she or he is insured under French insurance. So this is very important, and at least for the European continent it’s a key issue for the next few years.  

Going back to ePassports again, another technology that is being introduced is biometrics – do you see this form of authentication being used in the eHealth domain?  

TY: I think the presence of biometrics in eHealth cards are not as many as in ePassports. What we see is the effort to increase the match between the person and the card in order to avoid fraud for example. And here we see the various different methods such as multi-functional authentication, for example in Austria the card is only used as a key to the system and you only have single factor authentication, which is cards. Another extreme in Germany, we have four different factors of authentication: patient card, doctor card, plus the patient and doctor have a pin number and only with all of these factors the doctor has the right to access the data.    I think biometrics come into the picture when there is a multi-application solution – if an eHealth product is also used as an ID product nationwide such as in Portugal or Turkey then there might be use of biometrics.  

You mention accessing the patient data – Axel, what do you see in terms of patient data storage, can you store it on the card, centrally, what are the different methods that are available?  

AV: As discussed, we have the two extremes, either you’re saying that the card is only being used as a key to a back end system, or that the card stores all the data in the card - both scenarios have their own advantages and disadvantages. Lets have a look at the German model, which divides a little bit. There is special (emergency) data and some medical history data stored on the card itself, however this is also mirrored in the back-end system too. So I would say that here the card is being used as medium sized storage. But the card is also being used as a key for the back-end system. One big advantage of having the information on the card, is that you immediately have the emergency data if there is something wrong with the infrastructure, but then of course you have the disadvantage that if you lose your card, and the data is only on the card, and not mirrored in a back-end system, then the user faces a problem. The second part is the data protection issue.  In Germany there are a lot of discussions about which data is allowed to be stored on the card and how secure the card has to be – this often comes down to each country’s laws. So the discussion surrounding what and where the data is stored is difficult.  I would say that it is up to the individual country and its laws to decide where to store which data.   

Depending on which type of storage you decide upon, (centralized or de-centralized), what impact does the hardware have on which storage solution is chosen?  

TY: In countries like Germany, where you want to store patient data on the card, that has a direct impact on the size of the memory on the IC.  If you have some pre description of the medical history and prescription information – this in Germany for example is a minimum of 80 Kilobytes (kB) EEPROM, but you can go down to 8 kB if you only want a single key to access the database. If you want to store everything about the patient then you can easily reach Gigabyte range, which is not really feasible in a card form factor.  

What sort of impact do you think the storage will have on security? How can we ensure that only the right people have the access to the information?  

TY: Security of the hardware or the solution is also a measure to prevent fraud, because fraud is one of the major drivers. In order to achieve tamper proof secure hardware, most of the governments worldwide choose security certified microcontrollers, which are certified according to Common Criteria EAL5+ assurance level. Furthermore, in the application level, the confidentiality of the data stored and the access mechanism to the data is managed by use of cryptography.    Today, we would most likely see symmetric cryptography based on DES/3 DES algorithm in the market. We foresee that AES will take the place of Triple DES soon. In the case of Germany we have today asymmetric cryptography with RSA algorithm, for asymmetric encryption maybe in two to three years time we might see ECC (Elliptic curve cryptography). These two security measures would cover major security requirements at device level and application level.  

Stéfane maybe you could give us an indication of some of the different eHealth projects that are ongoing around the world, and what some of the similarities and differences are?

SM: What is interesting is that each project is really different because the business process in one given ecosystem for eHealth or social security project is unique. The legal framework is not homogeneous because it’s the responsibility of each member state in Europe and up to each country to define its own social security policy. But what we can see is that, even though there are differences, there is a convergence of the three drivers that we discussed at the beginning, which are administration cost reduction (dematerializing paperwork to claim electronically); reducing fraud (which was not an issue ten years ago and is quite a new driver) and quality of care (to make sure we have a good track record in treating patients and to avoid errors in prescribing medication).  

Europe was the leader in starting eHealth projects with France, Germany and Belgium, then followed by Slovenia and Taiwan and more recently Algeria. We can see that it is becoming a mass market, and we hope that, with standardization efforts in the industry, we can have the same success as the GSM in the future.

Go to article:
1 |  2 |  3 |  4 |  5 |  6 |  7 |