Upload
xuan
View
67
Download
4
Tags:
Embed Size (px)
DESCRIPTION
CEN ISSS eEHIC CWA. Pantelis Angelidis – on behalf of the CEN/ISSS/WS & PT. Background. Project:"Electronic European Health Insurance Card “ Documents : PHASE A:Review and validation of the available or required standards for the eEHIC (approved 12-02-2008) - PowerPoint PPT Presentation
Citation preview
Med-e-Tel, April 2nd, 2009
CEN ISSS eEHIC CWA
Pantelis Angelidis – on behalf of the CEN/ISSS/WS & PT
Med-e-Tel, April 2nd, 2009
BackgroundProject:"Electronic European Health Insurance
Card “
Documents :PHASE A: Review and validation of the available or required standards for the eEHIC (approved 12-02-2008)PHASE B: CWA (approved 10-03-2009)
White Paper
Med-e-Tel, April 2nd, 2009 3
eEHIC background and context
• The main features of an electronic EHIC are :– It will carry the same dataset in electronic form that is
defined by the data printed on the outside of the EHIC,
– it will be electronically read in the premises of the Health Care Providers equipped with appropriate technology
– its validity as well as the entitlement of the card holder could, under certain conditions and depending on the Member States, be verified on-line.
Med-e-Tel, April 2nd, 2009
Phase A decisions CWA guiding principles (1/2)
• The basis of the work will be the well-known smart card standards (already used as credit/debit cards, phone cards etc., ISO7816 series)
• The definitions of the health information related standards are used because they already closely reflect the EHIC dataset (e.g. ISO 21549)
• The use of the Unicode character set where possible. This would practically mean support for all official EU languages and character sets.
Med-e-Tel, April 2nd, 2009
Phase A decisions CWA guiding principles (2/2)
• In order to facilitate read-out from “new” smart cards as well as from already existing smart cards not yet supporting the standardised storage format, the CWA uses the “metadata approach”. This means that applications use metadata (machine readable card capability descriptions) when accessing an eEHIC. The interoperability framework is provided in this case by the ISO/IEC 24727 series.
• The CWA provides a mechanism to protect the electronic exchange of the data.
Med-e-Tel, April 2nd, 2009
eEHIC on-line through EESSIHome Member State
EESSI
Network
Host Member State
eEHIC
Social Security
Institution
Health Care Professional
National (Social Security) Network
National (Social Security) Network
Social Security
Institution
Med-e-Tel, April 2nd, 2009 9
ISO 24727 : Definition of a card services
Application 1
Client-ApplicationA
CD
Service Access LayerThe client-application has a preset view on the card-application : only card services exposed by the ACD are visible.
Discovery data
Med-e-Tel, April 2nd, 2009
eEHIC - Model basics
eEHIC from EU Country « B »
IFD
HCP
Application layer
EESSI
National Repository
Member State’s Front End
Token(s)
Reader(s)
HCP workstation :ISO 24727-based
application layer & interface device layer
National network
EESSI (EU Network)
EESSI infrastructure
(EU Network)
eEHIC Service front-end
EU Country « A »
EU Country « B »
Med-e-Tel, April 2nd, 2009 12
Schematic view of middleware layout for eEHIC
2 SOAP channel conveying Response/Request through the IFD-API
Network
SAL-implementation
WSDL unmarshalling (SOAP Client)
IFD Agent
HCP application web service application
Smartcard Resource Manager
Reader
IFD-API
End-to-end authentication
SAL-API
GCAL
IFD Proxy
WSDL marshalling (SOAP Server)
Member State’s Auth. Proxy in Country « B » (MS’s Access Point)
Client-Application
IFD-API
MS’s DB
ISO 24727-compliant discovery mechanism
eEHIC
HCP Worstation in Country « A »
1 GCI
SOAP
Med-e-Tel, April 2nd, 2009 13
eEHIC cards Types
• ISO/IEC 24727 compliant eEHIC cards : – A completely new implementation, referred to as Type “1”.– A Card pointing to an XML-based Card-Info-File where the
EHIC data are stored (outside of the card), referred to as Type “2”.
– An existing Card which adds the eEHIC service to its list, referred to as Type “3”.
• NON-ISO/IEC 24727 cards : Existing (legacy) card that does not support ISO/IEC 24727 and that stores the required data in a remote repository, referred to as Type “4”.
Med-e-Tel, April 2nd, 2009 17
eEHIC personalization : main steps
eEHICHCP DID
eEHICADMIN DID
CardApplication Service
ACL_LIST CA_LIST CA_SERVICE_LIST CA_SERVICE_DESCRIBE EXECUTE_ACTION
eEHIC card-application
Label = « eEHIC »
Connection Service
ACL_LIST CA_CONNECT CA_DISCONNECT CA_START_SESSION CA_END_SESSION
Label = « eEHIC »
<Control actions upon>
<control actions upon>
<control actions upon>
new card ?
eEHIC Data
?
Legacy card ?
?
?
?
?
..300C0405…
.
Med-e-Tel, April 2nd, 2009 18
Reminder : « Discovery information » managementSAL-API
ASN.1 definition acc. ISO 24727 Part 2
DER-TLV encoding
personalization
AC
D
Service Access Layer(SAL)
application
AC
D
DataSet,DSI
DID
AC
D
ACL
Shareable e-Service
ISO/IEC 7816-4
DataSet,DSI
DID
ACL
ISO 24727 containerISO/IEC 7816-15
Med-e-Tel, April 2nd, 2009
Communication flow description in CWA clauses
eEHIC
ISO 24727 compliant
Client application
MS Authentication Proxy
MS’s DB
HCP Application
SAL
GCAL
Network
ISO 24727-3 Application interface
ISO 24727-2 Generic card interface
ACDCCDCIA
CardInfo
eCard
Legacy
§ 5 Card discovery,
dataset read
§ 7Optional
Card authentication
§ 6 functional messages
SO
AP
W
ebse
rvic
esIS
O 2
4727
1 2 3
Generic Request/Response
Action Request/Response
Specific Request/Response
Generic APDU
Specific APDU
Med-e-Tel, April 2nd, 2009
Loop
End to end communication sequence : card type “1”, “2”, “3” ISO 24727 compliant
Card App HCP Application MS Authentication Proxy
eEHIC
Card device
ReadCardType
(1,2,3)
(APDUCommand)Execute (APDUCommand)
(APDUResponse)(APDUResponse)
FunctionalResponse
ReadDataSet
(eEHICDataSet)
CardDiscovery (eEHICADMIN)
(EntitlementSecurityLevel)
FunctionalDialog (eEHICDataSet, SecurityLevel)
ReadSecurityLevel
(SecurityLevel)
Med-e-Tel, April 2nd, 2009
Optional security functionality for future use
• No authentication functionality is mandated– Neither on server side (Competent institution)– Nor on client side (HCP)
• eEHIC-Server-communication can be used without any card-based security features– Issuers are not mandated to add any part of it– Service implementors are not mandated to support these features
• Authentication functionality can be used– If/when security will be needed e.g. for privacy reasons– Service related policy decisions possible
Med-e-Tel, April 2nd, 2009
Matrix of mandatory components of an eEHIC system, depending from the scenario to be
deployed
Med-e-Tel, April 2nd, 2009
A new CWA
So What?•Common EU interoperability Framework•CWA describes a profile that can “easily’ be turned into a Technical Specification
More Info?•The CWA will be published in May•A White Paper will be published in April•[email protected]
What next?
•Political decisions•EU Pilot•eEHIC as an ECC profile•MS deployment
Med-e-Tel, April 2nd, 2009
Thank you for your attention