ANÁLISIS ESPECTROFOTOMÉTRICO DE 3 FRACCIONES DE B 2

In the table below, we will provide an overview of the method of authentication used in the identified eHealth application for each country (using the classification above), and explains if/how authorisation management is addressed.

Country Authentication method(s)

Generic mandate and authorisation models

Austria Hard crypto

token

The health insurance card is a closed PKI system which can be activated to operate as a citizen card. Public health officers and health authorities authenticate via a national portal group to the system using their citizen card. The portal group provides the nation-wide authorisation information transfer. The citizens are identified using the sector-specific identifiers based on the Residents Register CRR and the Supplementary Register to ensure high data quality. This system provides the national basis for The European Surveillance System (TESSY: European Centre for Diseases Prevention and Control).

Belgium Hard crypto

token and password list

For specific sectors (like eHealth), Belgium uses a system of sector specific service integrators which link specific mandates/authorizations to generic identification/authentication systems like the eID card. In the eHealth sector, the service

50 _{Published on 2008 by the National Observatory on Telecommunications and Information Society (ONTSI) at}

integrator is the recently established eHealth platform. Users can use their eID card or federal token to authenticate/sign, and the service integrator will determine their mandate/authorization on the basis of authentic databases that it manages through a network of intermediaries (like e.g. hospitals).

Bulgaria N.A. N.A.

Croatia Hard crypto

token The CIHI and FINA smart cards play an important (but not exclusive) role in eHealth applications. Authorisations/mandate management are largely handled on an ad hoc basis.

Cyprus No details

provided No details provided

Czech Republic Password or PIN token or alternatively Soft crypto token

The identification number is usually the personal identity number, access code is generated by the information system and provided to the owner personally, like a credit card PIN code; password is chosen by a user after the first log in into the system.

The alternative is to use an authentication (non-qualified) certificate. Currently there are supported certificates issued by any of the three Czech accredited certification service providers or by Thawte, Int. The users have to log in to the system using id number/code/password combination and register their certificate. After the certificate is activated51 _{by a system, a user can use it to}

access the system.

Denmark Soft crypto

token Legal qualification/capacity in eHealth works by linking the personal registration number in the OCES certificate to the national health professional authorization register. If a person is listed in this register the registers authorization-code states the type of health professional that he/she is. The signature/certificate itself does not include such information.

Estonia Hard crypto

token Authorisation details can be derived from specific registers, with support implemented on a case by case basis. Identification is done on the basis of the generic solutions (eID card, and in most cases the bank card as well).

Finland Hard crypto

token Applications rely on the use of the FINEID card for citizens and organisations, and the VALVIRA card for healthcare professionals. Healthcare professional certificates are issued to healthcare professionals defined in the law 559/1994, and also to students completing studies to become physician, dentist and pharmacist. According to the law 159/2007 VALVIRA certificates are also issued to all personnel working in and for healthcare service units, to other healthcare service providers and to healthcare applications and equipment. VALVIRA certificates are to be used for accessing patient data systems, signing of electronic prescriptions and other applications. More information on the VALVIRA CA activity is available in Finnish at: http://www.valtteri.fi

51 _{The new certificates are activated four times a day. The times are set with regard to the time of}

France Hard crypto

token The VITALE card is delivered to any Social Security beneficiary older than 16 years and defines its rights to be reimbursed. It is based on the RNIAM number (National repertory inter-regimes of Health Insurance beneficiaries) issued on the basis of the national registration number (NIR, numéro d’inscription au repertoire) which functions as an authentic source of civil status information.

Germany Hard crypto

token

The application (and future eHealth applications as well) build on the eGK (elektronische Gesundheitskarte) and the new HBA (Heilberufsausweis, Health Professional Card). The eIDM systems behind this are mainly based on the membership data held by the health insurance companies that are issuing the eGK and the organizations issuing HBA. The HBA will basically be a signature card for QES comprising authentication and encryption capabilities. It will also hold attribute certificates indicating the role of the card holder (e.g “Arzt” (doctor) or “Apotheker” (pharmacist)). Such attribute certificates are issued on the basis of existing professional admissions and are controlled along with these. Management of attributes under the responsibility of third parties is regulated in the Signature Act.

Greece N.A. N.A.

Hungary No details

provided (Planned: Hard crypto token)

The National Health care Fund is planning to issue an eHealth card replacing the recent paper card. The chip card will contain a signature and an authentication certificate. The planned start of issuance is the end of 2009.

Ireland Password or

PIN token No generic model is in place yet; solutions are largely ad hoc.

Iceland N.A. N.A.

Italy Hard crypto

token Services are built around the Regional Service Card (basically a local implementation of the NSC concept). The necessary databases containing the main attributes and mandates of health care professionals are put in place through the SISS project (Sistema Informativo Socio-Sanitario’). The SISS system is an ICT platform that links online general practitioners, childrens’ doctors and all other health structures. The aim is to have a unique system that collects, stores and makes available all health information about the citizens to the authorised health operators (i.e. it is an instrument of integration of existing and dispersed data). Access to the system happens through two cards: the operators’ card (SISS card) and the NSC. The SISS card allows the authorised operators to enter in the system and have access to the health data of the citizens.

Latvia N.A. N.A.

Lithuania N.A. N.A.

Luxembourg N.A. N.A.

The

Netherlands

Hard crypto

token Dutch healthcare providers are issued with an electronic identity, in the form of a UZI-card (UZI stands for Unique Healthcare Provider Identification, Unieke Zorgverlener Identificatie). This is done by the Dutch Unique Healthcare Provider Identification Register (UZI- register), an organisation under responsibility of the Health Secretary. The UZI-card has three main functionalities: it allows healthcare providers to identify and authenticate themselves, it guarantees the confidentiality of their communication and, most importantly in the current context, the UZI card enables healthcare providers to enter an electronic signature. The UZI-card and its services are based upon the so called ‘trust model', a model based upon the hierarchy of PKI-Overheid, the national government PKI.

Norway Password list The described application is built on the generic MinSide

infrastructure, and in this case allows the use of MyID (minID) authentication, i.e. using a password list. The approach aims to leverage the general infrastructure created by the MinSide-portal, through collaboration with relevant service providers within the government. For the eHealth application described above, authorization is handled by the Norwegian Directorate of Health (Helsedirektoratet). The Directorate has in this case a register of parents and their children, that they may represent in the solution. This is based on the reference within the MyID entity authentication solution to the national identity number, which is used to identify the person.

Malta Password or

PIN token Used authentication mechanisms is currently eID Level 1 (username/passwords + PIN)

Poland N.A. N.A.

Portugal N.A. N.A.

Romania N.A. The Unique Integrated Information System of Social Health

Insurances (Sistemul Informatic Unic Integrat al Sistemului de

Asigurari sociale de sanatate) (“UIIS”), which was launched in

2008, plays an important role in the creation and management of the National Health Database from a technical and organisational perspective. UIIS has a hardware and basic software endowment component. The health data is collected by the physicians for each patient and includes the medical check-up card, prescriptions, medical leave, and will be transmitted at the end of each month to the Local House of Health Insurance. The exchange of health- related data at the national level is to be made by using the UIIS. Once the National Health Insurance Cards will be issued, all the information provided by such electronic card will form the first national database which will include health information on every citizen.

Slovakia Soft/hard crypto

token Authentication in e-health portal relies on qualified (software or hardware) certificates issued in accordance with Slovene legislation. For on-line access to health and health insurance data the new health insurance card with non-qualified certificate (hard token) will be used

Slovenia N.A. N.A.

Spain Hard crypto

token All citizens are part of the national Health System and have their e-Health Card; it was foreseen that by the end of 2008, the health cards of all Spanish regions would be fully interoperable.

Sweden Soft and Hard

crypto tokens The eID has to include two keys and two certificates (one for identification and one for the electronic signature). The purpose of the certificate and its private key has to be defined in the certificate field ”keyUsage”. The certificates with the personal eID should follow RFC 32802 and give the relying party access to the user’s personal identity number. Soft certificates should not be valid longer than 2 years.

Turkey N.A. N.A.

United Kingdom

N.A. N.A.

4.6.2.3 Conclusions

Thus, 20 countries provided information in relation to their eHealth eID policies, whereas the others did not report significant use cases of eID in eHealth applications. Of these 20 countries, 4 only reported use cased that were in pilot/development stage, and these will not be examined further. In the remaining 16 countries, 18 use cases were reported:

• 10 countries reported on the general eHealth eID infrastructure, reusable across a number of eHealth application fields;

• 2 reported on predominantly social security/administrative applications;

• 6 reported specific applications (typically applications allowing the management of and access to electronic health records).

Looking at the authentication means reported in these 16 countries:

• Hard crypto tokens are the predominant form of electronic authentication, being reported in 11 out of 16 countries (Austria, Belgium, Croatia, Estonia, Finland, France, Germany, Italy, the Netherlands, Spain and Sweden). Obviously, the availability of eHealth cards or health care professional cards is a strong enabler in this respect, as is e.g. the case for Croatia (CIHI card), Germany (EGK and HBA card), Italy (EIC and NSC card), and the Netherlands (UZI- card). These cards serve to determine the capacity of the signatory (e.g. the UZI-card is only available to health care professionals registered in the Dutch UZI-Register), meaning that interoperability is much harder to achieve in this field.

• Soft crypto tokens are significantly less common, being used in the Czech Republic, Denmark and Sweden, thus including mainly countries where such certificates generally play a stronger role in eGovernment eID policy.

• Password lists were reported to be used in Belgium and Norway for some applications.

• Finally, Password or PIN tokens were reported in the Czech Republic, Ireland and Malta. Typically, this related to lower security applications.

4.6.3 eJustice

4.6.3.1 Overview

In the table below, we will provide an overview of information that was provided on the availability of eJustice applications in the surveyed country, and specifically how eID functionality has been integrated into these applications.

Country Application name and URL Use/functionality Status

Austria CyberDOC and Archivium

http://www.archivium.at/

Both are document archiving solutions

for respectively notaries and lawyers. Operational

Belgium No details provided. No details provided. N.A.

Bulgaria No details provided. No details provided. N.A.

Croatia e-Tvrtka (e-Company)

www.pravosudje.hr

Site allowing notaries to create certain

companies on-line Pilot

Cyprus No details provided. No details provided. eJustice

infrastructure is present, but no clear eIDM system yet.

N.A.

Czech Republic

E-order for Payment Procedure It requires to fill in an electronic form and sign it with an electronic signature.

Operational