Electronic Signature for Medical Documents – Integration and Evaluation of a Public Key Infrastructure in Hospitals

R. Brandner; M. van der Haak; M. Hartmann; R. Haux; P. Schmücker

doi:10.1055/s-0038-1634389

Methods of Information in Medicine, Table of Contents

Methods Inf Med 2002; 41(04): 321-330
DOI: 10.1055/s-0038-1634389

Original article

Schattauer GmbH

Electronic Signature for Medical Documents – Integration and Evaluation of a Public Key Infrastructure in Hospitals

R. Brandner

¹Department of Medical Informatics, University of Heidelberg, Germany

,

M. van der Haak

¹Department of Medical Informatics, University of Heidelberg, Germany

,

M. Hartmann

²Department of Dermatology, Heidelberg University Medical Center, Germany

,

R. Haux

¹Department of Medical Informatics, University of Heidelberg, Germany

,

P. Schmücker

¹Department of Medical Informatics, University of Heidelberg, Germany

› Author Affiliations

Abstract

Summary

Objectives: Our objectives were to determine the user-oriented and legal requirements for a Public Key Infrastructure (PKI) for electronic signatures for medical documents, and to translate these requirements into a general model for a signature system. A prototype of this model was then implemented and evaluated in clinical routine use.

Methods: Analyses of documents, processes, interviews, observations, and of the available literature supplied the foundations for the development of the signature system model. Eight participants of the Department of Dermatology of the Heidelberg University Medical Center evaluated the implemented prototype from December 2000 to January 2001, during the course of an intervention study. By means of questionnaires, interviews, observations and database analyses, the usefulness and user acceptance of the electronic signature and its integration into electronic discharge letters were established.

Results: Since the major part of medical documents generated in a hospital are signature-relevant, they will require electronic signatures in the future. A PKI must meet the multitude of responsibilities and security needs required in a hospital. Also, the signature functionality must be integrated directly into the workflow surrounding document creation. A developed signature model, fulfilling user-oriented and legal requirements, was implemented using hard and software components that conform to the German Signature Law. It was integrated into the existing hospital information system of the Heidelberg University Medical Center. At the end of the intervention study, the average acceptance scores achieved were x = 3,90; s_D = 0,42 on a scale of 1 (very negative attitude) to 5 (very positive attitude) for the electronic signature procedure. Acceptance of the integration into computer-supported discharge letter writing reached x = 3,91; s_D = 0,47. On average, the discharge letters were completed 7.18 days earlier.

Conclusion: The electronic signature is indispensable for the further development of electronic patient records. Application-independent hard and software components, in accordance with the signature law, must be integrated into electronic patient records, and provided to certification services using standardized interfaces. Signature-oriented workflow and document management components are essential for user acceptance in routine clinical use.

Keywords

Electronic patient records - data security - public key infrastructure - electronic signature

Full Text

References

References
1 van Bemmel JH. Toward a Virtual Electronic Patient Record. MD Comput 1999; 16 (Suppl. 06) 20-1.
2 Smith E, Eloff JH. Security in health-care information systems – current trends. Int J Med Inf 1999; 54 (Suppl. 01) 39-54.
3 Blobel B. The European Trust Health Project experiences with implementing a security infrastructure. Int J Med Inf 2000; 60 (Suppl. 02) 193-201.
4 Dujat C, Haux R, Schmücker P, Winter A. Digital Optical Archiving of Medical Records in Hospital Information Systems – A Practical Approach Towards the Computer-based Patient Record?. Methods Inf Med 1995; 34 (Suppl. 05) 489-97.
5 Safran C, Goldberg H. Electronic patient records and the impact of the Internet. Int J Med Inf 2000; 60 (Suppl. 02) 77-83.
6 Epstein MA, Pasieka MS, Lord WP, Wong STC, Mankovich NJ. Security for the Digital Information Age of Medicine: Issues, Applications, and Implementation. J Digit Imaging 1998; 11 (Suppl. 01) 33-4.
7 van Dyk J. Public Key Infrastructure – Securing the Exchange of Health Information. MD Comput 2000; 17 (Suppl. 05) 44-6.
8 Diffie W, Hellmann ME. New Directions in Cryptography. IEEE Trans Inf Theory 1976; 22 (Suppl. 06) 644-54.
9 ISO 7498-2. Information processing systems – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture. International Organization for Standardization JTC 1. 1989
10 SigG 1997. Federal Act Establishing the General Conditions for Information and Communication Services – Information and Communication Services Act – Article 3 Digital Signature Act. Bundesgesetzblatt Teil I 52: 1872-6.
11 SigR 2000. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal of the European Communities. L13: 12-20.
12 Anderson JG, Aydin CE, Jay SJ. Evaluating Health Care Information Systems: Methods and Application. Thousand Oaks (California): Sage Publications; 1994
13 O’Brien DG, Yasnoff WA. Privacy, Confidentiality, and Security in Information Systems of State Health Agencies. Am J Prev Med 1999; 16 (Suppl. 04) 351-8.
14 Secude. Security Development Environment for Open Systems. Darmstadt: Secude Sicherheitstechnologie Informationssysteme GmbH; 1997
15 Boy O, Ohmann C, Aust B, Eich HP, Koller M, Knode O. et al. Systematische Evaluierung der Anwenderzufriedenheit mit einem Krankenhausinformationssystem – Erste Ergebnisse. In: Hasman A. eds. Medical Infobahn for Europe – Proceedings of MIE2000 and GMDS2000. Amsterdam: IOS Press; 2000: 518-22.
16 Pruemper J. Software-Evaluation Based upon ISO 9241 Part 10. Lect Notes Comput Sc 1993; 733: 255.
17 SigG 2001. Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations. Bundesgesetzblatt Teil I. 22: 876-84.
18 ENV 13729. Health informatics – Secure user identification for healthcare strong authentication using microprocessor cards. European Committee for Standardization TC 251. 1999
19 HPC-D v. 1.1. German Health Professional Card – Spezification Physician Version 1.1. Gemeinsame AG der Kassenärztlichen Bundesvereinigung und der Bundesärztekammer. 1999
20 Rivest R, Shamir A, Adleman L. A method for obtaining digital signatures and public key cryptosystems. Commun ACM 1978; 21: 2.
21 ISO/IEC 14888-3. Information technology – Security techniques – Digital signatures with appendix – Part 3: Certificate-based mechanisms. International Organization for Standardization JTC 1/SC 27. 1999
22 ISO/IEC 10118-3. Information technology – Security techniques – Hash-functions – Part 3: Dedicated hash-functions. International Organization for Standardization JTC 1/SC 27. 1998
23 NIST FIPS Publication 180-1. Secure Hash Standard (SHS-1). National Institute of Standards and Technology; 1995
24 PKCS#7. Cryptographic Message Syntax Standard. Public Key Cryptography Standards. RSA Laboratories.; 1993
25 RFC 2251. Lightweight Directory Access Protocol (v3). Network Working Group.; 1997
26 RFC 2560. Online Certificate Status Protocol – OCSP. X.509 Internet Public Key Infrastructure. Network Working Group.; 1999
27 XML Signature. Syntax and Processing W3C Candidate Recommendation 19-April-2001. World Wide Web Consortium.; 2001
28 DICOM Supplement 41. Digital Imaging and Communications in Medicine (DICOM) Digital Signatures. NEMA Standards Publication PS 3. National Electric Manufacturers Association; 2001
29 Winter A, Haux R. A Three Level graph-based Model for Management of Computer-Supported Hospital Information Systems. Methods Inf Med 1995; 34 (Suppl. 04) 378-96.