Jak propojit zdravotnické informační systémy a nevytvořit při tom „velkého bratra“ Doc. MUDr. Jiří Kofránek, CSc. UK Praha Ing. Ondřej Felix CSc. Hlavní architekt eGovernmentu, MV ČR

How to connect the healthcare information systems and also not create a „big brother“ Jiří Kofránek, Charles University Prague Ondřej Felix eGovernment chief architect, Ministery of Interior

Modern information technologies Tools for making more efficient healthcare Modern information technologies Organizational changes

Protection of sensitive personal data Healthcare information transfer (about patients, about medical services, economic costs, etc.) Protection of sensitive personal data The necessary condition of healthcare information systems functionality Pokud jsou informace o pacientech, o zdravotnických výkonech, o ekonomických nákladech apod. předávány a uchovávány v bezpečném síťovém prostředí nemocničních informačních systémů, je ochrana osobních dat zajištěna vlastním síťovým prostředím nemocnice a o zabezpečení kompatibility ukládaných a přenášených formátů dat se stará výrobce příslušného nemocničního informačního systému. Složitější situace vzniká v případě, kdy chceme zdravotnické (a příslušné návazné ekonomické) informace přenášet mimo toto prostředí. Pak je kompatibilita datových formátů a především ochrana citlivých osobních dat ve zdravotnických informačních systémech nezbytnou podmínkou jejich funkčnosti. Nelze proto například bez odpovídajícího zabezpečení ochrany před neoprávněným přístupem sdílet lékařské informace na webových serverech.

How not to build an Orwel's "big brother" Protection of sensitive personal data Necessary to ensure both requirements How to safely interconnect healthcare information systems? Sharing To je možné pouze tehdy, když integrované informační systémy veřejné správy budou propojeny způsobem, který na jedné straně umožní, aby data jednou poskytnutá veřejné správě nebyla jiným úřadem znovu na občanovi vyžadována a zároveň byla zajištěna jejich spolehlivá ochrana před neoprávněným přístupem, zejména před tím, aby nebylo možno uložená data neoprávněně propojovat. Protection

Interconnection of information systems utilization of health insurance payment Interconnection of information systems Data sharing Protection against unauthorized access must ensure Citizen should have access to any records, that are kept on him In the case of health care information systems – citizen should have access to his medical records, to his the financial report on the utilization of its payment of health insurance etc. A citizen should be able to itself (via Internet) to initiate updating the changed data (eg. change of address of residence). Two fundamental rights of citizens V integrovaném systému veřejné správy by (po jeho dobudování) měly platit dvě základní zásady: 1. občan by měl mít přístup ke všem evidencím, které o něm veřejná správa vede. 2. občan by měl mít možnost sám (i prostřednictvím Internetu) iniciovat aktualizaci změněných dat (např. změna adresy bydliště). Vztáhneme-li tuto zásadu na zdravotnické informační systémy, pak by to znamenalo, že občan by měl mít přístup ke své zdravotní dokumentaci i k finančnímu přehledu plateb a přehledu čerpání svého zdravotního pojištění.

Cardiosurgery register Tuberculosis register Arthral implant register National transplantation register National oncologic register Intensive healthcare register Central Health Registers Agioplastic register Cardiosurgery register Veneral diseases register Vascular surgery register Acute respiratory infections register ophthalmology register Tuberculosis register

ophthalmology register National transplantation register Individual biomedical data Central Health Registers ophthalmology register National transplantation register National oncologic register Intensive healthcare register Cardiosurgery register Arthral implant register Acute respiratory infections register Veneral diseases register Tuberculosis register Agioplastic register Vascular surgery register !!!Very sensitive personal data!!!

Strong data security management Individual biomedical data For therapy and diagnosis Individual data Individual data in central registers! Central Health Registers For evaluation of effectiveness of various therapeutical and diagnostical approaches Statistical data Anonymous data in central registers! !!!Very sensitive personal data!!!

Strong data security management Requirement of tracking of individual cases Individual data in central registers! Record in register Anonymous data in central registers! Danger of misuse of the sensitive data

Strong data security management Requirement of tracking of individual cases Individual data in central registers! Record in register Anonymous data in central registers! Danger of misuse of the sensitive data

Strong data security management Requirement of tracking of individual cases Individual data in central registers! Record in register Anonymous data in central registers! Danger of misuse of the sensitive data

Strong data security management Requirement of tracking of individual cases Individual data in central registers! Record in register Anonymous data in central registers! Danger of misuse of the sensitive data

Strong data security management Requirement of tracking of individual cases Individual data in central registers! Record in register Anonymous data in central registers! Danger of misuse of the sensitive data

Statistical evaluation Strong data security management Requirement of tracking of individual cases Individual data in central registers! Record in register Anonymous data in central registers! Evidence based medicine Statistical evaluation Danger of misuse of the sensitive data

Strong data security management Requirement of tracking of individual cases Individual data in central registers! Technological solution Anonymous data in central registers! Danger of misuse of the sensitive data

Sensitive personal data Patient name… (personal ID) Neutral data document identifier Patient name… (personal ID) document identifier Sensitive personal data Medical record content document identifier Fig. 12 The information becomes sensitive when health status information is connected with the social insurance number or any other direct or distinct identifying information. But if you separate the health information from the identifying information, then the contents of the health documentation, without identifying information, is NOT strictly prohibited personal data. This information, NOT connected with THE person, could be a source for statistical processing e.g. for the monitoring of the quality of the health care. Neutral data Medical record content

Reconnection is permitted to authorised persons only Patient name… (personal ID) Neutral data document identifier Cross connection table Patient name… (personal ID) Reconnection is permitted to authorised persons only Sensitive personal data Medical record content document identifier Fig. 13 Information becomes sensitive when it is connected again with identifying information. This interconnection will be allowed only to AUTHORISED PERSON(-s). Neutral data Medical record content Medical record database

Request for interconnection Patient name… (personal ID) Patient name… (personal ID) Neutral data document identifiers Cross connection tables Sensitive personal data approved Request for interconnection Medical record content A Medical record content B document identifier document identifier Fig. 13 Information becomes sensitive when it is connected again with identifying information. This interconnection will be allowed only to AUTHORISED PERSON(-s). Neutral data Neutral data Medical record content A Medical record content B Medical record database A Medical record database B

Medical record content A document identifier Patient name… (personal ID) Neutral data document identifiers document identifier Neutral data Cross connection tables Medical record content A document identifier Neutral data Medical record database A Medical record content A document identifier Neutral data Medical record content A Medical record database A Neutral data document identifier Medical record content B Neutral data document identifier Medical record database A Medical record content A Fig. 13 Information becomes sensitive when it is connected again with identifying information. This interconnection will be allowed only to AUTHORISED PERSON(-s). Neutral data Medical record database A Medical record content A Medical record database A Medical record database B

Information system of basic registers Czech Republic eGovernment Architecture Inhabitans ID Legal persons, legal entities, public power authorities etc. Estates and addresses (access rights etc.) Rights and Obligations Information system of basic registers

Czech Republic eGovernment Architecture ID Registry of Inhabitans Inhabitans Registr y of Persons ID Legal persons, legal entities, public power authorities etc. Estates and addresses Registry of Territorial Identification, Addresses and Real Estates (access rights etc.) Rights and Obligations Registry of Rights and Obligations Information system of basic registers

Czech Republic eGovernment Architecture ID Registry of Inhabitans Inhabitans Registr y of Persons ID Legal persons, legal entities, public power authorities etc. Estates and addresses Registry of Territorial Identification, Addresses and Real Estates (access rights etc.) Rights and Obligations Registry of Rights and Obligations Information system of basic registers Information Sharing

Czech Republic eGovernment Architecture ID Change Information Registry of Inhabitans Inhabitans Registr y of Persons ID Legal persons, legal entities, public power authorities etc. Estates and addresses Registry of Territorial Identification, Addresses and Real Estates (access rights etc.) Rights and Obligations Registry of Rights and Obligations Information system of basic registers Change Information Change Information Change Information Information Sharing

Czech Republic eGovernment Architecture Basic Identifier of Natural Person (BINP) Czech Republic eGovernment Architecture Kofránek ID Registry of Inhabitans Inhabitans Registr y of Persons ID Legal persons, legal entities, public power authorities etc. Estates and addresses Registry of Territorial Identification, Addresses and Real Estates (access rights etc.) Rights and Obligations Registry of Rights and Obligations ORG - Converter Information system of basic registers Data C Data A Data B Data Protection Agenda Identifieres of Natural Person (AINP) Agenda Identifieres of Natural Person (AINP)

Czech Republic eGovernment Architecture Basic Identifier of Natural Person (BINP) Czech Republic eGovernment Architecture Kofránek ID Registry of Inhabitans Inhabitans Registr y of Persons ID Legal persons, legal entities, public power authorities etc. Estates and addresses Registry of Territorial Identification, Addresses and Real Estates (access rights etc.) Rights and Obligations Registry of Rights and Obligations ORG - Converter Information system of basic registers Request for data Data C Data A Data B Data Protection Agenda Identifieres of Natural Person (AINP)

Czech Republic eGovernment Architecture Basic Identifier of Natural Person (BINP) Czech Republic eGovernment Architecture ID Registry of Inhabitans Inhabitans Registr y of Persons ID Legal persons, legal entities, public power authorities etc. Estates and addresses Registry of Territorial Identification, Addresses and Real Estates (access rights etc.) Rights and Obligations Registry of Rights and Obligations ORG - Converter Information system of basic registers Request for interconnection with Data B Kofránek Data A Data B Data B Data Protection Agenda Identifieres of Natural Person (AINP) Data C

Czech Republic eGovernment Architecture ID Registry of Inhabitans Inhabitans Registr y of Persons ID Legal persons, legal entities, public power authorities etc. Estates and addresses Registry of Territorial Identification, Addresses and Real Estates (access rights etc.) Rights and Obligations Registry of Rights and Obligations ORG - Converter Information system of basic registers Distributed Information Health Care Systems Data Protection Information Sharing

Není třeba znovu vynalézat kolo! Architektrura eGovernmentu v ČR Bezpečné propojení zdravotnických dat bez tvorby velkého bratra je možné! Není třeba znovu vynalézat kolo!

Děkujeme za pozornost kofranek@gmail.com ondrej.felix@me.com