Identity management for the use of electronic health records

- 02/09/2014

Digital certificates and signatures, attributes, and federations and their applications in health care have been the target of the identity management session on the first day of the III RNP Forum. The Federal Council of Medicine (CFM) Second Secretary Gerson Zafalon highlighted the constitutional principles importance of human dignity and the privacy inviolability in the medical practice and the professional secrecy to ensure the patient data confidentiality. 

According to him, in 2007, a CFM resolution was published approving the technical standards concerning scanning and computerized systems. “However, even with this progress, we still cannot eliminate the paper,” he pointed out. 

On the health area difficulties to migrate completely to electronic, Zafalon cited Act 12,682, of 2012, which authorized the digitization and storage public and private documents in electronic media, but still required the preservation of the original ones. He also presented the digital CRM, which acts as an identity card used by doctors to have access to electronic medical record systems. “The digital CRM uses attribute certificates, which function as an authorization mechanism for doctors to access the system,” he explained.

The Cancer Institute of São Paulo State (ICESP) Systems Manager Fabiana Machado shared the experience of electronic medical records implementation with digital certificate at the institution, which performs over 2,200 oncological occurrences attendances and 17,000 medical outpatient appointments per month and it is considered the largest unit for the treatment of cancer in Latin America. “With a focus on assistance, teaching and research, the ICESP pioneered in the acquisition of the electronic medical records system, in order to integrate all these processes,” said Fabiana.

Among the main problems, Fabiana cited the high costs of maintenance, resistance of the medical team, and unmeasured return on investment. “The system needs to be 100% available, with guaranteed data integrity, access control, and authenticity of the information, since someone may legally be liable for the content in the system,” she warned.

In the first phase of the pilot project, the ICESP chose the Intensive Care Unit (ICU). The process involved medical prescription, the nurse’s referral, the release of the drug by the pharmacist, and then again nursing at the checking point. “The big impact was the reduction in scanning. A critical point was the high investment on IT infrastructure,” pointed Fabiana.

As gains from the digital certificate deployment, the ICESP representative highlighted the service agility, integration of internal processes, and patient safety. “Today, 365,000 records are made per month at the hospital, 76% of them electronically signed,” she said. 

The PUC-Rio Researcher Noemi Rodriguez spoke about identity federations and provision of attributes and its advantages over individual endorsements. “The certificates are convenient when the attribute is semi-permanent. But there are other attributes with very short life to use the entire certificate infrastructure,” she explained.

Noemi cited the CAFe’s example, which has identity providers, responsible for authenticating users and the provision of attributes, and service providers, that receive the authentication guarantee, and therefore rely on the authentication model on role and privacy concerns. “To the user, it is not always interesting to expose identity in order to obtain authorization,” she said. 

Noemi also said that, through attributes, it is possible to create virtual organizations, which select which attributes a user must have to join certain groups. “In role authorization, each user is associated to certain roles, then such roles are associated to authorizations, allowing various levels of access,” she concluded.