Het Persoonlijk Gezondheidsnummer (Numéro Personnel d’Identification Santé)

Het Persoonlijk Gezondheidsnummer(Numéro Personnel d’Identification Santé)

Prof. Dr. G. De Moor25/09/2006

25/09/2006Prof. Dr. G. De Moor

Telematica Commissie

The HEPI-GO project: “a Proof of Concept Project”

1 Dec.2005 - 1 Jul. 2006

– HEPI: Health Electronic Personal Identifier(Solution within the existing legal framework)

– Tranformation function INSS to HEPI



Often confused topics

Health Professional “Identification”– Context: authorization (broad sense) in Healthcare – Security tool– “Identify” a person as HCP (actually authenticate a person in

a HCP role) in order to “authorize” him to perform an action– Technical: Credentials linked to persons

Patient Identifiers– Context: data-management (continuity of care)– NOT a security tool (authentication or authorization)– Technical: Uniform reference to the object (i.e. patient) of

medical data (a number referring to a person)



Need and Context

Europe

– Interoperability (cf. eHealth Action Plan CEC/EU)– “Cradle to grave” patient identification number seen as

an enabler for eHealth efficiency and patient safety

– Priority in many countries

– Most countries use National Number

Situation in Belgium

– No unified approach to patient identification(Patient ID locally defined)



Identifiers in Belgium– National Number (RRN/NRN)

– Identification Number for Social Security (INSZ/NISS)(“extension” of NN)

NN, INSS as HEPI, not recommended (legally):– Legal framework

– Advice CBPL

– Advice Counsel of Europe

– Other (INSZ not meaningless)

HEPI-GO: INSS-based HEPI



Broader view on HEPI-GO

2 (strongly related) Topics within HEPI-GO

– The patient identifier: Primary HEPI creation– Algorithms

– ...

– Operational aspects– Generation / Distribution

– Management

– ...



Operational Aspects

Patient Identifier

– From cradle to grave

– Should not complicate existing procedures(HEPI = efficiency)

– Existing carriers of identifiers– SIS (Social Security Card)

– eID (by 2009)



HEPI Choices

– One identifier within the care domain– Distribution:

– Central HEPI Conversion Service (fits BeHealth vision)– Can provide trust required because of algorithmic constraints– Allows (limited) control of HEPI generation

– Care providers can store HEPI as administrative data in their records(only minimum number of conversions needed)

– Patient can carry his HEPI around(e.g. on a hospital patient-card)

Remember:– The HEPI is not suited for protecting privacy!



Micro-ID-domains within Care (IDM related)

Patient

GP 2Patient =

HEPIB

HospitalPatient =

HEPIC

GP 1Patient =

HEPIA

Information exchangerequires ID translation

Authorised Identifier

Mapping Service

Care Domain

Not Recommended



HEPI: INSS Transformation

Design Constraints formulated by stakeholders

– The transformation from INSS to HEPI should be “irreversible”

– Different interpretations of “irreversible”

– Only authorized parties should be able to perform the transformation

– The “primary HEPI” must be manually and automatically processable

– The INSS transformation should be strictly collision free



HEPI: INSS Transformation

– Not all design requirements can be met at the same time

– Two different approaches, with different tradeoffs are proposed in the report:

– A solution based on symmetric encryption(Collision-free, but not one-way)

– A solution based on one-way functions(Requiring a centralized database to become collision free)



Candidate Solution based on Symmetric Cipher

Packed(INSS)

Ki Ki_IDE1(.)

Ki_ID

E2(.)

E1(Packed(INSS))

Binary HEPI

Fixed Key(i.e. universal secret)

Key Database

Encode + Checksum

INSS

HEPI

KeyIDs are random numbers, not mathematically related to the INSS

Keys are randomly generated (with weak key check etc.).Keys are added when needed.

INSS determines key to be selected(e.g. periodic, every year a new key)



Candidate Solution based on HASH/MAC

Very similar to assigning random HEPIs

INSS entry exists?

Calculate HEPIf(INSS, KeyID)

YES(INSS, KeyID) Select a random

KeyID

NO(INSS)

Calculate HEPIOne-way function f

f(INSS, KeyID)

(INSS, KeyID)

Does the HEPI exist?

(HEPI)

YES(collision)

NO

Request HEPI

HEPI HEPI

DB {INSS, KeyID} entries

DB {HEPI} entries

HSM{Key, KeyID} entries and processing

INSS-KeyID

DBHEPI DB

Initiate database updates



SummaryI. Symmetric Cipher

II. Symmetric Cipher with improved Keying

III. Simple Translation Table (encrypted HEPIs)

IV. Translation Table with one-way function

V. Hybrid Scheme of Figure 8

Crypto-attack Relies on cipher security

(2nd round weakness)

Relies on cipher security

(improved 2nd round)

Random Numbers(Maximum protection)

Relies on HMAC security(high)

Mixture of ‘I’ (2nd round weakness)

and ‘IV’ (improved 1st round)

Knowledgeable attacker

Can reverse HEPI effortless



Can reverse with effort

Can reverse virtually effortless

Mathematically Reversible

YES YES NO NO Partially

HEPI length -64 bit + keyID

-64 bit + keyID

++>INSS space

+>>INSS space

-64 bit + keyID

HEPI length example

15+12222-ABCD-EFGH-

345C

15+13333-ABCD-EFGH-

345Y

9+1 / 10+1ABC-DEF-234-EABCDE-23456-S

12+1ABCD-EFGH-2345-

Q

15+14444-ABCD-EFGH-

345R

Storage of INSS and/or HEPI lists

NO NO YES YES NO

Can handle fundamental changes to INSS format

YES YES YES YES Limited



Summary

– HEPI-GO scope: transformation of INSS into HEPI– Scope interpreted broader

– HEPI not suitable for protecting privacy

– Operational– Single HEPI for the care domain

– Centralised Management

– Conversion algorithm– No fully satisfying solution has been found

– …



Summary

– Conversion algorithm (continued)– The proposed algorithm meets the HEPI-GO requirements

quite well

– But offers virtually no benefits over the obvious solution based on a translation table and randomly generated HEPIs

– Can be used for generating “secondary” HEPIs towards other domains

Het Persoonlijk Gezondheidsnummer (Numéro Personnel d’Identification Santé)

Documents

Transcript of Het Persoonlijk Gezondheidsnummer (Numéro Personnel d’Identification Santé)