Het Persoonlijk Gezondheidsnummer(Numéro Personnel d’Identification Santé)
Prof. Dr. G. De Moor25/09/2006
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
The HEPI-GO project: “a Proof of Concept Project”
1 Dec.2005 - 1 Jul. 2006
– HEPI: Health Electronic Personal Identifier(Solution within the existing legal framework)
– Tranformation function INSS to HEPI
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Often confused topics
Health Professional “Identification”– Context: authorization (broad sense) in Healthcare – Security tool– “Identify” a person as HCP (actually authenticate a person in
a HCP role) in order to “authorize” him to perform an action– Technical: Credentials linked to persons
Patient Identifiers– Context: data-management (continuity of care)– NOT a security tool (authentication or authorization)– Technical: Uniform reference to the object (i.e. patient) of
medical data (a number referring to a person)
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Need and Context
Europe
– Interoperability (cf. eHealth Action Plan CEC/EU)– “Cradle to grave” patient identification number seen as
an enabler for eHealth efficiency and patient safety
– Priority in many countries
– Most countries use National Number
Situation in Belgium
– No unified approach to patient identification(Patient ID locally defined)
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Identifiers in Belgium– National Number (RRN/NRN)
– Identification Number for Social Security (INSZ/NISS)(“extension” of NN)
NN, INSS as HEPI, not recommended (legally):– Legal framework
– Advice CBPL
– Advice Counsel of Europe
– Other (INSZ not meaningless)
HEPI-GO: INSS-based HEPI
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Broader view on HEPI-GO
2 (strongly related) Topics within HEPI-GO
– The patient identifier: Primary HEPI creation– Algorithms
– ...
– Operational aspects– Generation / Distribution
– Management
– ...
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Operational Aspects
Patient Identifier
– From cradle to grave
– Should not complicate existing procedures(HEPI = efficiency)
– Existing carriers of identifiers– SIS (Social Security Card)
– eID (by 2009)
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
HEPI Choices
– One identifier within the care domain– Distribution:
– Central HEPI Conversion Service (fits BeHealth vision)– Can provide trust required because of algorithmic constraints– Allows (limited) control of HEPI generation
– Care providers can store HEPI as administrative data in their records(only minimum number of conversions needed)
– Patient can carry his HEPI around(e.g. on a hospital patient-card)
Remember:– The HEPI is not suited for protecting privacy!
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Micro-ID-domains within Care (IDM related)
Patient
GP 2Patient =
HEPIB
HospitalPatient =
HEPIC
GP 1Patient =
HEPIA
Information exchangerequires ID translation
Authorised Identifier
Mapping Service
Care Domain
Not Recommended
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
HEPI: INSS Transformation
Design Constraints formulated by stakeholders
– The transformation from INSS to HEPI should be “irreversible”
– Different interpretations of “irreversible”
– Only authorized parties should be able to perform the transformation
– The “primary HEPI” must be manually and automatically processable
– The INSS transformation should be strictly collision free
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
HEPI: INSS Transformation
– Not all design requirements can be met at the same time
– Two different approaches, with different tradeoffs are proposed in the report:
– A solution based on symmetric encryption(Collision-free, but not one-way)
– A solution based on one-way functions(Requiring a centralized database to become collision free)
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Candidate Solution based on Symmetric Cipher
Packed(INSS)
Ki Ki_IDE1(.)
Ki_ID
E2(.)
E1(Packed(INSS))
Binary HEPI
Fixed Key(i.e. universal secret)
Key Database
Encode + Checksum
INSS
HEPI
KeyIDs are random numbers, not mathematically related to the INSS
Keys are randomly generated (with weak key check etc.).Keys are added when needed.
INSS determines key to be selected(e.g. periodic, every year a new key)
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Candidate Solution based on HASH/MAC
Very similar to assigning random HEPIs
INSS entry exists?
Calculate HEPIf(INSS, KeyID)
YES(INSS, KeyID) Select a random
KeyID
NO(INSS)
Calculate HEPIOne-way function f
f(INSS, KeyID)
(INSS, KeyID)
Does the HEPI exist?
(HEPI)
YES(collision)
NO
Request HEPI
HEPI HEPI
DB {INSS, KeyID} entries
DB {HEPI} entries
HSM{Key, KeyID} entries and processing
INSS-KeyID
DBHEPI DB
Initiate database updates
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
SummaryI. Symmetric Cipher
II. Symmetric Cipher with improved Keying
III. Simple Translation Table (encrypted HEPIs)
IV. Translation Table with one-way function
V. Hybrid Scheme of Figure 8
Crypto-attack Relies on cipher security
(2nd round weakness)
Relies on cipher security
(improved 2nd round)
Random Numbers(Maximum protection)
Relies on HMAC security(high)
Mixture of ‘I’ (2nd round weakness)
and ‘IV’ (improved 1st round)
Knowledgeable attacker
Can reverse HEPI effortless
Can reverse HEPI effortless
Can reverse HEPI effortless
Can reverse with effort
Can reverse virtually effortless
Mathematically Reversible
YES YES NO NO Partially
HEPI length -64 bit + keyID
-64 bit + keyID
++>INSS space
+>>INSS space
-64 bit + keyID
HEPI length example
15+12222-ABCD-EFGH-
345C
15+13333-ABCD-EFGH-
345Y
9+1 / 10+1ABC-DEF-234-EABCDE-23456-S
12+1ABCD-EFGH-2345-
Q
15+14444-ABCD-EFGH-
345R
Storage of INSS and/or HEPI lists
NO NO YES YES NO
Can handle fundamental changes to INSS format
YES YES YES YES Limited
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Summary
– HEPI-GO scope: transformation of INSS into HEPI– Scope interpreted broader
– HEPI not suitable for protecting privacy
– Operational– Single HEPI for the care domain
– Centralised Management
– Conversion algorithm– No fully satisfying solution has been found
– …
25/09/2006Prof. Dr. G. De Moor
Telematica Commissie
Summary
– Conversion algorithm (continued)– The proposed algorithm meets the HEPI-GO requirements
quite well
– But offers virtually no benefits over the obvious solution based on a translation table and randomly generated HEPIs
– Can be used for generating “secondary” HEPIs towards other domains