CEN ISSS eEHIC CWA

Med-e-Tel, April 2nd, 2009

CEN ISSS eEHIC CWA

Pantelis Angelidis – on behalf of the CEN/ISSS/WS & PT


BackgroundProject:"Electronic European Health Insurance

Card “

Documents :PHASE A: Review and validation of the available or required standards for the eEHIC (approved 12-02-2008)PHASE B: CWA (approved 10-03-2009)

White Paper

Med-e-Tel, April 2nd, 2009 3

eEHIC background and context

• The main features of an electronic EHIC are :– It will carry the same dataset in electronic form that is

defined by the data printed on the outside of the EHIC,

– it will be electronically read in the premises of the Health Care Providers equipped with appropriate technology

– its validity as well as the entitlement of the card holder could, under certain conditions and depending on the Member States, be verified on-line.


Phase A decisions CWA guiding principles (1/2)

• The basis of the work will be the well-known smart card standards (already used as credit/debit cards, phone cards etc., ISO7816 series)

• The definitions of the health information related standards are used because they already closely reflect the EHIC dataset (e.g. ISO 21549)

• The use of the Unicode character set where possible. This would practically mean support for all official EU languages and character sets.


Phase A decisions CWA guiding principles (2/2)

• In order to facilitate read-out from “new” smart cards as well as from already existing smart cards not yet supporting the standardised storage format, the CWA uses the “metadata approach”. This means that applications use metadata (machine readable card capability descriptions) when accessing an eEHIC. The interoperability framework is provided in this case by the ISO/IEC 24727 series.

• The CWA provides a mechanism to protect the electronic exchange of the data.


eEHIC on-line through EESSIHome Member State

EESSI

Network

Host Member State

eEHIC

Social Security

Institution

Health Care Professional

National (Social Security) Network

National (Social Security) Network

Social Security

Institution


ISO 24727 : Definition of a card services

Application 1

Client-ApplicationA

CD

Service Access LayerThe client-application has a preset view on the card-application : only card services exposed by the ACD are visible.

Discovery data


eEHIC - Model basics

eEHIC from EU Country « B »

IFD

HCP

Application layer

EESSI

National Repository

Member State’s Front End

Token(s)

Reader(s)

HCP workstation :ISO 24727-based

application layer & interface device layer

National network

EESSI (EU Network)

EESSI infrastructure

(EU Network)

eEHIC Service front-end

EU Country « A »

EU Country « B »


Schematic view of middleware layout for eEHIC

2 SOAP channel conveying Response/Request through the IFD-API

Network

SAL-implementation

WSDL unmarshalling (SOAP Client)

IFD Agent

HCP application web service application

Smartcard Resource Manager

Reader

IFD-API

End-to-end authentication

SAL-API

GCAL

IFD Proxy

WSDL marshalling (SOAP Server)

Member State’s Auth. Proxy in Country « B » (MS’s Access Point)

Client-Application

IFD-API

MS’s DB

ISO 24727-compliant discovery mechanism

eEHIC

HCP Worstation in Country « A »

1 GCI

SOAP


eEHIC cards Types

• ISO/IEC 24727 compliant eEHIC cards : – A completely new implementation, referred to as Type “1”.– A Card pointing to an XML-based Card-Info-File where the

EHIC data are stored (outside of the card), referred to as Type “2”.

– An existing Card which adds the eEHIC service to its list, referred to as Type “3”.

• NON-ISO/IEC 24727 cards : Existing (legacy) card that does not support ISO/IEC 24727 and that stores the required data in a remote repository, referred to as Type “4”.


eEHIC personalization : main steps

eEHICHCP DID

eEHICADMIN DID

CardApplication Service

ACL_LIST CA_LIST CA_SERVICE_LIST CA_SERVICE_DESCRIBE EXECUTE_ACTION

eEHIC card-application

Label = « eEHIC »

Connection Service

ACL_LIST CA_CONNECT CA_DISCONNECT CA_START_SESSION CA_END_SESSION

Label = « eEHIC »

<Control actions upon>

<control actions upon>

<control actions upon>

new card ?

eEHIC Data

?

Legacy card ?

?

?

?

?

..300C0405…

.


Reminder : « Discovery information » managementSAL-API

ASN.1 definition acc. ISO 24727 Part 2

DER-TLV encoding

personalization

AC

D

Service Access Layer(SAL)

application

AC

D

DataSet,DSI

DID

AC

D

ACL

Shareable e-Service

ISO/IEC 7816-4

DataSet,DSI

DID

ACL

ISO 24727 containerISO/IEC 7816-15


Communication flow description in CWA clauses

eEHIC

ISO 24727 compliant

Client application

MS Authentication Proxy

MS’s DB

HCP Application

SAL

GCAL

Network

ISO 24727-3 Application interface

ISO 24727-2 Generic card interface

ACDCCDCIA

CardInfo

eCard

Legacy

§ 5 Card discovery,

dataset read

§ 7Optional

Card authentication

§ 6 functional messages

SO

AP

W

ebse

rvic

esIS

O 2

4727

1 2 3

Generic Request/Response

Action Request/Response

Specific Request/Response

Generic APDU

Specific APDU


Loop

End to end communication sequence : card type “1”, “2”, “3” ISO 24727 compliant

Card App HCP Application MS Authentication Proxy

eEHIC

Card device

ReadCardType

(1,2,3)

(APDUCommand)Execute (APDUCommand)

(APDUResponse)(APDUResponse)

FunctionalResponse

ReadDataSet

(eEHICDataSet)

CardDiscovery (eEHICADMIN)

(EntitlementSecurityLevel)

FunctionalDialog (eEHICDataSet, SecurityLevel)

ReadSecurityLevel

(SecurityLevel)


Optional security functionality for future use

• No authentication functionality is mandated– Neither on server side (Competent institution)– Nor on client side (HCP)

• eEHIC-Server-communication can be used without any card-based security features– Issuers are not mandated to add any part of it– Service implementors are not mandated to support these features

• Authentication functionality can be used– If/when security will be needed e.g. for privacy reasons– Service related policy decisions possible


Matrix of mandatory components of an eEHIC system, depending from the scenario to be

deployed


A new CWA

So What?•Common EU interoperability Framework•CWA describes a profile that can “easily’ be turned into a Technical Specification

More Info?•The CWA will be published in May•A White Paper will be published in April•[email protected]

What next?

•Political decisions•EU Pilot•eEHIC as an ECC profile•MS deployment


Thank you for your attention