Sweden
By the end of 1990s, some counties (Östergötland, Skåne, Stockholm) initiated the project SITHS (Säker IT i Sjukvården), partly financed by the Knowledge Foundation. Carelink was given the task of implementing SITHS in Sweden. Its results are now used in several counties, and most counties have signed an agreement to build the security infrastructure
according to the definitions of SITHS. The model is based on PKI for identification and signing. The employee has a personal electronic ID card for identification. The card contains a certificate that opens for digi-tal signatures.
The requirements behind SITHS is an infrastructure that is sector spe-cific, is built on standards, works for all actors in the sector at a national level, is based on mobile smart cards and admits sector certificates. Em-ployees with several positions need several certificates.
There are also other initiatives concerning these questions, e.g. a na-tional network for information security, the NIS group.
Collaboration with open-source software, with a programme code that others may freely copy, gives rise to many legal questions. At present, these ideas are developed. Carelink published a report in 2003 on the legal consequences of disseminating open-source software in the public sector. An open-source programme has a licence that allows the pro-gramme to be copied, modified, and diffused. The program’s code is freely available.
Denmark
In 2002, National Board of Health developed guidelines for security in the health care sector. Its primary purpose is to give advice on how or-ganisations in the sector can ensure that security is adequate according to existing laws and principles for an acceptable level of security. The guidelines are directed towards hospitals, and do not cover other actors in the sector.
The current strategy for IT in health sector (2003–2007) proposes that the National Board of Health will assist all actors and organisations in the sector to fulfil the security requirements concerning patient health records and other information. Guidance and informative materials will be of-fered.
In November 2003, the National Board of Health published a report on IT security in the sector.43 This report analyses the use of digital signa-tures and the pros and cons of various kinds of certificates, e.g. different certificates for identification such as personal certificates and the circum-stances for which this would be issued. It is recommended that the certifi-cate would be valid for the entire sector. There are also certificertifi-cates linked to a certain activity and not a person. Even here there are alternative set-ups. For certain activities it is recommended that the certificate should be connected to the server and its applications, and available to personnel with a digital signature. Furthermore, there are software and hardware certificates where the certificate is an installed file. A PIN code is used in these cases.
43 National Board of Health (Sundhedsstyrelsen), ”Digital signature og PKI i sundhedsvaesen-det”, November 2003
Work on security in the health sector is connected to security in eGov-ernment and electronic communication in the public sector. After launch-ing a public certificate for electronic services in 2003, the focus increased on how to enhance the use of certificates to improve security and elec-tronic communication in the health sector. There are three types of Government OCES certificates: personal, collegial, and business. It has a software-based certificate and may be used in organisations where each employee has his/her own computer. This is, however, inappropriate in a hospital where often several persons share a computer.
Other areas discussed in the guidelines are the definitions by which employees, organisations, and activities will be identified and the admini-stration and responsibilities of the organisations involved.
Norway
Norway has a distinct legislation regarding personal information and employees in the health sector. Two new laws, regarding confidentiality of personal information and regarding health professionals came into force in January 2001. In January 2002, a new law was established con-cerning registers and information in the health sector. These laws consist of rules for handling electronic health information and include rules on integrity and security, which have implications for electronic health re-cords. In the previous law on personal information, the rule was to apply for the right to handle personal information, while the new law separates sensitive and non-sensitive information. For sensitive information, it is still necessary to apply for the right to handle such health information, although there are many exceptions.
The Directorate for Health and Social Affairs (Social- og Helsedirek-toratet) published a guideline in 2002 on security in the regional health companies. This guideline presents an overview on the activities needed to establish a system for security, and methods to collect and present in-formation. A system for managing security should include certain ele-ments, e.g. goals, strategies and action plans, a responsible organisation, auditing, internal control, description of technical solutions, and a de-scription on the personal information that is collected.
The National Insurance Service (Rikstrygdeverket), on behalf of the health and social care sector, has established certification and services for digital signatures and PKI. KITH has played a major role in the process of establishing this service.
Iceland
Security is included in the general policy for IT in society. The policy aims for the general and widespread use of electronic certification so that any communicating partner may be positively identified: electronic
signa-tures and coding shall be introduced insofar as is deemed appropriate.
The state’s requirements shall be published with regard to the content, form, and handling of electronic certificates for transactions with national institutions. Those requirements might become the model for a general Public Key Infrastructure (PKI) for industry and municipalities. When the time is appropriate, European and international standards shall be adhered to, aiming for integration with the Public Key Infrastructure of neighbouring countries.
Finland
Security issues and privacy protection have been, and remain, key ele-ments in the IT strategy of the Ministry of Social Affairs and Health. The Ministry has actively supported the development of authentication proce-dures that are based on PKI solutions.
Actions supporting national strategy include the creation of new legis-lation. In 2003, the Ministry prepared modifications concerning certifica-tion and digital signatures to the Act on Experiments with Seamless Ser-vice Chains in Social Welfare and Health Care SerSer-vices. The following temporary laws have been accepted:
• Legislation for Seamless Services in Social Affairs and Health, which includes new statements for authentication of citizens, health
professionals, and organisations in e-services.
• Legislation for e-prescription services
The Ministry intends to enlarge the geographical area where the experi-ment takes place. It will also create an Internet-based national service for the certification of health care personnel.
National Guidelines for Safeguarding will be defined during 2004-2005. This includes an eConfidentiality statement, the patient’s right to issue informed consent. Also requirements for secure digital archiving will be developed.
Based on the decision made by the Finnish Government, the interop-erable core data set has to be implemented at the national level by the end of 2007, and all EHR systems will be certified for interoperability and security after 2007.
Conclusions
The security and legal aspects are important, especially regarding elec-tronic health records and when information crosses borders between lev-els, institutions, and actors within and between sectors. The legal aspects of these information flows need to be fully analysed, and laws need to be adjusted. One question to address is for whom the information should be available.
Key aspects that need to be included in a secure system are that the in-formation should not be available to unauthorised individuals; integrity needs to be high to prevent false prescriptions, and eventual attempts need to be traceable. In addition, it should be possible to identify the user afterwards. Relevant legislation includes the laws regulating registers, personal information, patients’ rights, and employee rights and obliga-tions. The use of e-mail and health-related matters on the Internet are also matters that need to be regulated.
Security aspects are presently in focus. In Denmark, security aspects are currently a priority, and in Sweden the counties have agreed on a security framework. In Norway, important reforms have been undertaken in legislation to have the regulatory framework keep pace with develop-ment, but in Sweden the regulatory framework is said to be a crucial pro-blem for development.