The sensitivity of health information determines a particularly high need for security, owing to the duty for professional secrecy by the medical professional as well as to defend the guarantees of the patients whose information is processed.
Encrypted smart cards have become a core factor in interaction between the physical world and new technologies, particularly in carrying out formalities on the Internet. Thanks to the security these cards provide, it is possible to deploy a unified service infrastructure, offering added value without foregoing the necessary technical and legal security.
This assertion is particularly true in the e-Health sector, as has been internationally recognised in various instruments. Specifically, the eEurope Action Plan: An Information Society for Everyone, started a series of jobs at the beginning of 2000 and with regard to the smart cards, - under the common name of Smart Card Charter - with special consideration to the health sector and, specifically identification based on medical card.
This work has led to a change in orientation regarding the use of the card for the health sector, which is configured as the core element regarding the e-Health security infra-structures, an aspect pre-eminently recognised in the most recent international studies and particularly in the Report on Strategies in e-Health of the European Standardisation Committee (2004).
With the medical card based on electronic signature and recognised certificates, one can and should aspire to convert the access networks and exchange of information on health, which are at the moment insecure, into a completely secure cross-border element of the e-Health pan-European service infrastructure.
The medical card is thus converted into a secure and reliable access document to the health services on the network: an access key that permits new services to be created, such as the electronic prescription, the shared clinical record, the exchange of medical images or the remote and secure warehousing of medical information, with full respect of patients' rights.
For this however, the use of recognised electronic signature based on a certificate that attests the registered Doctor's status must be required, produced by means of a medical card with secure device condition for creating signature.
The implementation of the medical card cannot and should not be done by just any entity, because as the card represents the registered member status, it should precisely guarantee in the physical world as well as on the Internet that its holder is and continues to be a doctor. The card should offer absolutely no doubts about the function of ethical control and service to the profession.
Some examples of fraudulent practice in environments without registered doctor's card could be:
- False allegation claiming to be a doctor, because authentication or electronic signature of doctor is not used.
- Deceitful pretence to the certification entity, for example, with a fake card.
- Fraud in access to health information, provided by associations and third parties, including public administrations.
- Deceit to the patient regarding the current status of registered doctor.
- Impossibility of detaining the activity or accesses by a reprimanded or suspended doctor.
Finally, the registered doctor's card is configured as the key element for the qualification of the registered doctor on the Internet, allowing the doctor access to the services provided by the OMC as well as by third parties, including Internet service providers, public administrations and public and private certification entities.
In consideration of all this, the OMC, as self-regulating legal entity of the medical profession, is establishing a certification system with the following aims:
- To regulate the issue and management of the registered doctor's card, with the condition of secure device for creating electronic signature.
- The issue and management, by one or more certification service providers, of recognised certificates of registered doctor's electronic signature and other registered personnel, as well as other certification services which will be provided on the medical card.
- The accreditation, by the OMC, of the different certification service providers that supply certificates to the registered professionals, in order to guarantee the quality and security in the issue and management of these certificates.
- The provision of validation and re-certification services to public and private entities, regarding the certificates, in order to guarantee the up-dating and validity of the corporate information included or not included in the certificates, and particularly of the doctor's status.
The mechanisms for issue of corporate certificates by one or more certification service providers and those for verifying the doctor's professional status are necessary and compatible with each other. Whereas the certificates evidence the personal identity data and status of the registered doctor, such as the case of the service provided by the Certification Entity of the OMC, that condition must be re-certified in each transaction as well as other information relating to the registered member, as corporate guarantee common to all public and private health applications.