#43C2CB

#9DE7EE

#0297A5

67 194 203

157 231 238

2 151 165

HEX RGB

# 646567 100 101 103

COLOUR PALETTE

TEXT COLOUR

HEX RGB

# FFFFFF 255 255 255

#43C2CB 67 194 203

CEF eID SMO The use of eID in eHealth eHealth Network meeting 7 June 2016

Amsterdam

Agenda

Introduction to the study

Introduction to eIDAS Regulation and CEF eID

Identification/ authentication for eHealth

use cases

Examples of MS experience

Introduction to the study

Why, what, when, where?

The use of eID in eHealth

How?

• epSOS , OpenNCP, Expand, STORK 2.0, eSENS eHealth pilot, JAseHN

Experience from previous/ongoing

initiatives:

• AT, FI, EL, IT, LU, PT, SE Selected countries

with relevant experience

• OpenNCP, eSENS eHealth pilot, JAseHN

Collaboration with:

• DG SANTE

• eIDAS Task Force/DG DIGIT Directed by

How?

eHealth & eIDAS Bringing the two worlds together!

Timeline

Introduction to eIDAS and CEF eID

• Legal framework

• Benefits

• Current situation in MS

Introduction to eIDAS and CEF eID Legal framework

• eIDAS Regulation established a legal framework and trust model for the mutual recognition of notified nationally supported eIDs across borders

By Sep 2018 public administrations who offer services that require online authentication must accept (subject to conditions) notified eIDs from other Member States

This will include public eHealth services

CEF eID: CEF provides software and support services; financially supports the deployment in MS

Introduction to eIDAS and CEF eID Benefits

SECURE CROSS-BORDER

AUTHENTICATION Cost saving

User centric

CEF Governance and operations

Flexible

Introduction to eIDAS and CEF eID Countries with implementations based on LSPs

Many Member States already have experience with cross-border authentication through the Large Scale Pilot projects

• Countries with STORK based implementation:

‒ middleware countries: AT, DE

‒ STORK 1.0: BE, CH, CZ, LV, PT, SI, SK

‒ STORK 1 and STORK 2.0: IT, LT, LU

‒ STORK 2.0: DK, EE, EL, ES, IS, NL, NO, SE, TR, UK

Introduction to eIDAS and CEF eID Countries in process of implementing an eIDAS compliant Node

Many Member States are already gearing up to become part of the eIDAS Network

• Countries setting-up an eIDAS compliant Node (received CEF funding in 2014):

AT*, BE, CZ*, DE, DK*, EE*, EL*, ES*,

FR, IS, IT*, MT*, NL*, NO*, PL*, SK,

SE, UK*

• Countries planning national eIDAS Node implementation:

BG, CY, FI, LT, LU, LV, RO, SI, TR

* countries that expressed intent to use CEF eID sample implementation

Identification/ authentication for eHealth use cases

• Patient Summary & ePrescription/eDispensation

• Identification needs

• Cross-border patient identification / authentication:

• How can identification be done using CEF eID?

Patient Summary & ePrescription Identification needs

• Both services require:

• Identification of the patient – to retrieve correct PS/eP information

• Identification of HCP (e.g. doctor, pharmacists)– for access to cross-border PS and eP services

• At national level in some countries eID already support the identification of both patients and HCPs (e.g. BE, LU, AT)

• For the cross-border PS/eP services CEF eID can similarly support the identification and provide secure and real-time authentication

• Main question:

• For PS/eP where is cross-border authentication needed?

Cross-border identification/authentication How is identification done today?

• The NCP architecture provides for cross-border communication and connection with national services

• Identification in the current NCP setup is handled at the source

• Identification of the patient based on:

• National Patient Search and

• National Patient ID infrastructure

• Identification of HCP based on

• National HCP authenticator and

• National HCP ID infrastructure

Cross-border identification/authentication How is identification done today?

• MS implement the identification based on their requirements: varied landscape, national requirements for levels of assurance, security, liability

• A future Multilateral Legal Agreement is being discussed in the eHealth Network for adoption in 2016

• Identification of the patient is a cross-border use case

• Identification of HCP does not occur across borders in the current setup (only national identification), however, CEF eID could be used to authenticate access of HCPs in real-time

Examples of MS experience

• Luxembourg

• Austria

• Sweden

Luxembourg

• In eHealth nationally issued eIDs (smartcards) are already used for patient and HCP identification

• Cross-border identification of patients:

• Based on national approach: an official document (passport) presented to HCP, information is matched in national systems to retrieve patientID used in NCP

• Luxembourg foresees to use eIDAS and would be able to use the national eID across borders to identify patients (and possibly HCPs)

• Health data is one of the most sensitive types of personal data, the level of assurance and security would be ‘high’

• This could be catered for under eIDAS, Luxembourg prefers this as the authentication setup under eIDAS guarantees a single secure solution that can reused across sectors, including eHealth

• The smartcard solution is still considered the most secure in Luxembourg, security is considered most important, however alternative solutions for point of care issues may be identified

Austria

• In eHealth nationally issued eIDs (both smartcard and mobile eID) are already used for patient and HCP identification (moving away from health specific cards to the common national eID)

• Cross-border identification of patients:

• The national eID schemes are already integrated with the Austrian NCP (collaboration with OpenNCP, and eSENS eHealth Pilot based on STORK 2.0 experience)

• Austria foresees that eIDAS will support the cross-border authentication of patients and possibly also for HCPs

• Specific requirements for authentication in eHealth are derived from the national eID solutions that are considered secure and level ‘high’. eHealth specific requirements are not yet clearly defined, the ongoing work of JAseHN and Multilateral Legal Agreement would be important for this

• Sector specific authentication solutions should be avoided and eIDAS should support eHealth in the long-run. Bridge actions to solve current challenges such as point of care issues are useful in the medium term

Sweden

• In eHealth the eID provided by BankID is used for identification of patients based on their social security number. For HCP identification an eID system is in place based on eHealth specific smartcards

• Cross-border identification of patients:

• Sweden piloted ePrescription across borders in epSOS (not based on eID) and expects ePrescription to go live in 2017/2018

• The eID solution (BankID) is used nationally for patient identification and will most likely be notified under eIDAS. The HCP smartcard could in principle also be notified, however, there is no decision on this currently

• Sweden considers that eID schemes will converge to the eIDAS specifications and levels of assurance, eIDAS may therefore support the identification of patients and possible HCPs in the future (for which authentication needs to be carefully considered (beyond minimal dataset))

• Specific requirements for authentication in eHealth are derived from the national eID solutions that are considered secure and level ‘high’. eHealth specific requirements are not yet clearly defined, the ongoing work of JAseHN and Multilateral Legal Agreement would be important for this

Visit the catalogue of building blocks on CEF Digital Single Web Portal https://ec.europa.eu/cefdigital

https://ec.europa.eu/cefdigitalhttps://ec.europa.eu/cefdigital

Contact us

© European Union, 2016. All rights reserved. Certain parts are licensed under conditions to the EU. Reproduction is authorized provided the source is acknowledged.

Alice.VASILESCU@ec.europa.eu

Sebastiaan.VAN-DER-PEIJL@ext.ec.europa.eu

mailto:Alice.VASILESCU@ec.europa.eumailto:Sebastiaan.VAN-DER-PEIJL@ext.ec.europa.eumailto:Sebastiaan.VAN-DER-PEIJL@ext.ec.europa.eumailto:Sebastiaan.VAN-DER-PEIJL@ext.ec.europa.eumailto:Sebastiaan.VAN-DER-PEIJL@ext.ec.europa.eumailto:Sebastiaan.VAN-DER-PEIJL@ext.ec.europa.eu