Electronic Signature for Medical Documents – Integration and Evaluation of a Public Key Infrastructure in Hospitals

 

 Buy Article Permissions and Reprints

Summary

Objectives: Our objectives were to determine the user-oriented and legal requirements for a Public Key Infrastructure (PKI) for electronic signatures for medical documents, and to translate these requirements into a general model for a signature system. A prototype of this model was then implemented and evaluated in clinical routine use.

Methods: Analyses of documents, processes, interviews, observations, and of the available literature supplied the foundations for the development of the signature system model. Eight participants of the Department of Dermatology of the Heidelberg University Medical Center evaluated the implemented prototype from December 2000 to January 2001, during the course of an intervention study. By means of questionnaires, interviews, observations and database analyses, the usefulness and user acceptance of the electronic signature and its integration into electronic discharge letters were established.

Results: Since the major part of medical documents generated in a hospital are signature-relevant, they will require electronic signatures in the future. A PKI must meet the multitude of responsibilities and security needs required in a hospital. Also, the signature functionality must be integrated directly into the workflow surrounding document creation. A developed signature model, fulfilling user-oriented and legal requirements, was implemented using hard and software components that conform to the German Signature Law. It was integrated into the existing hospital information system of the Heidelberg University Medical Center. At the end of the intervention study, the average acceptance scores achieved were x = 3,90; s_D = 0,42 on a scale of 1 (very negative attitude) to 5 (very positive attitude) for the electronic signature procedure. Acceptance of the integration into computer-supported discharge letter writing reached x = 3,91; s_D = 0,47. On average, the discharge letters were completed 7.18 days earlier.

Conclusion: The electronic signature is indispensable for the further development of electronic patient records. Application-independent hard and software components, in accordance with the signature law, must be integrated into electronic patient records, and provided to certification services using standardized interfaces. Signature-oriented workflow and document management components are essential for user acceptance in routine clinical use.

• References

• 1 van Bemmel JH. Toward a Virtual Electronic Patient Record. MD Comput 1999; 16 (Suppl. 06) 20-1.
  PubMedGoogle Scholar
• 2 Smith E, Eloff JH. Security in health-care information systems – current trends. Int J Med Inf 1999; 54 (Suppl. 01) 39-54.
  CrossrefPubMedGoogle Scholar
• 3 Blobel B. The European Trust Health Project experiences with implementing a security infrastructure. Int J Med Inf 2000; 60 (Suppl. 02) 193-201.
  CrossrefPubMedGoogle Scholar
• 4 Dujat C, Haux R, Schmücker P, Winter A. Digital Optical Archiving of Medical Records in Hospital Information Systems – A Practical Approach Towards the Computer-based Patient Record?. Methods Inf Med 1995; 34 (Suppl. 05) 489-97.
  Article in Thieme ConnectPubMedGoogle Scholar
• 5 Safran C, Goldberg H. Electronic patient records and the impact of the Internet. Int J Med Inf 2000; 60 (Suppl. 02) 77-83.
  CrossrefPubMedGoogle Scholar
• 6 Epstein MA, Pasieka MS, Lord WP, Wong STC, Mankovich NJ. Security for the Digital Information Age of Medicine: Issues, Applications, and Implementation. J Digit Imaging 1998; 11 (Suppl. 01) 33-4.
  CrossrefPubMedGoogle Scholar
• 7 van Dyk J. Public Key Infrastructure – Securing the Exchange of Health Information. MD Comput 2000; 17 (Suppl. 05) 44-6.
  PubMedGoogle Scholar
• 8 Diffie W, Hellmann ME. New Directions in Cryptography. IEEE Trans Inf Theory 1976; 22 (Suppl. 06) 644-54.
  CrossrefPubMedGoogle Scholar
• 9 ISO 7498-2. Information processing systems – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture. International Organization for Standardization JTC 1. 1989
  PubMedGoogle Scholar
• 10 SigG 1997. Federal Act Establishing the General Conditions for Information and Communication Services – Information and Communication Services Act – Article 3 Digital Signature Act. Bundesgesetzblatt Teil I 52: 1872-6.
  PubMedGoogle Scholar
• 11 SigR 2000. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal of the European Communities. L13: 12-20.
  PubMedGoogle Scholar
• 12 Anderson JG, Aydin CE, Jay SJ. Evaluating Health Care Information Systems: Methods and Application. Thousand Oaks (California): Sage Publications; 1994
  Google Scholar
• 13 O’Brien DG, Yasnoff WA. Privacy, Confidentiality, and Security in Information Systems of State Health Agencies. Am J Prev Med 1999; 16 (Suppl. 04) 351-8.
  CrossrefPubMedGoogle Scholar
• 14 Secude. Security Development Environment for Open Systems. Darmstadt: Secude Sicherheitstechnologie Informationssysteme GmbH; 1997
  Google Scholar
• 15 Boy O, Ohmann C, Aust B, Eich HP, Koller M, Knode O. et al. Systematische Evaluierung der Anwenderzufriedenheit mit einem Krankenhausinformationssystem – Erste Ergebnisse. In: Hasman A. eds. Medical Infobahn for Europe – Proceedings of MIE2000 and GMDS2000. Amsterdam: IOS Press; 2000: 518-22.
  Google Scholar
• 16 Pruemper J. Software-Evaluation Based upon ISO 9241 Part 10. Lect Notes Comput Sc 1993; 733: 255.
  PubMedGoogle Scholar
• 17 SigG 2001. Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations. Bundesgesetzblatt Teil I. 22: 876-84.
  PubMedGoogle Scholar
• 18 ENV 13729. Health informatics – Secure user identification for healthcare strong authentication using microprocessor cards. European Committee for Standardization TC 251. 1999
  PubMedGoogle Scholar
• 19 HPC-D v. 1.1. German Health Professional Card – Spezification Physician Version 1.1. Gemeinsame AG der Kassenärztlichen Bundesvereinigung und der Bundesärztekammer. 1999
  PubMedGoogle Scholar
• 20 Rivest R, Shamir A, Adleman L. A method for obtaining digital signatures and public key cryptosystems. Commun ACM 1978; 21: 2.
  PubMedGoogle Scholar
• 21 ISO/IEC 14888-3. Information technology – Security techniques – Digital signatures with appendix – Part 3: Certificate-based mechanisms. International Organization for Standardization JTC 1/SC 27. 1999
  PubMedGoogle Scholar
• 22 ISO/IEC 10118-3. Information technology – Security techniques – Hash-functions – Part 3: Dedicated hash-functions. International Organization for Standardization JTC 1/SC 27. 1998
  PubMedGoogle Scholar
• 23 NIST FIPS Publication 180-1. Secure Hash Standard (SHS-1). National Institute of Standards and Technology; 1995
  Google Scholar
• 24 PKCS#7. Cryptographic Message Syntax Standard. Public Key Cryptography Standards. RSA Laboratories.; 1993
  Google Scholar
• 25 RFC 2251. Lightweight Directory Access Protocol (v3). Network Working Group.; 1997
  Google Scholar
• 26 RFC 2560. Online Certificate Status Protocol – OCSP. X.509 Internet Public Key Infrastructure. Network Working Group.; 1999
  Google Scholar
• 27 XML Signature. Syntax and Processing W3C Candidate Recommendation 19-April-2001. World Wide Web Consortium.; 2001
  Google Scholar
• 28 DICOM Supplement 41. Digital Imaging and Communications in Medicine (DICOM) Digital Signatures. NEMA Standards Publication PS 3. National Electric Manufacturers Association; 2001
  Google Scholar
• 29 Winter A, Haux R. A Three Level graph-based Model for Management of Computer-Supported Hospital Information Systems. Methods Inf Med 1995; 34 (Suppl. 04) 378-96.
  Article in Thieme ConnectPubMedGoogle Scholar