Medinfo 2007
Interoperability and Security: Design and Development of a Clinical Documents Repository Digitally Signed using CDA standard. Fernán González Bernaldo de Quirós, Adrián Gómez, Fernando Campos, Jorge Severino, Fernando Plazzotta, Daniel R. Luna Medical Informatics Department, Hospital Italiano of Buenos Aires, Argentina.
Abstract The amount of institutions with hospital information systems has increased. With the different technologies and standards available, it is possible to satisfy many information exchange needs, considering that in shared settings, sensible documentation is required of a special treatment. HL7’s CDA is a marked-up document standard, which specifies the structure and the semantics of a clinical document. Digital Signature is a tool that guarantees the authorship and integrity of electronic documents. The Hospital Italiano of Buenos Aires, has developed and implemented a CDA documents repository along with the creation of its own PKI infrastructure, storing the private and public keys and the digital certificate, in a EToken. Obtaining then a trustworthy and unique registry of the medical acts, making possible the access to documents in a format that allows full legibility, also making possible the process and later inclusion of this information in other systems or applications, guaranteeing its authorship and integrity. These documents can be visualized in any web browser. Keywords: Medical Records Systems, Computerized; Computer Security; Standards; Electronic Documents; Digital Signature.
Introduction The growth of hospital information systems, the information exchange needs and the proliferation of technologies implemented on the Internet, allowed that medical documents can be shared and exchanged between organizations, hospitals and healthcare providers [1]. This made possible the development of protocols and methods to assure medical information exchange in standard format, increasing the possibilities of achieving semantic and syntactic interoperability. One of the main standards families in health information systems setting is Health Level Seven (HL7), an organization accredited in the American National Standards Institute (ANSI) whose mission is the development of communication protocols and medical information exchange [2]. CDA stands for Clinical Documents Architecture and is markup standard, which specifies the structure and the semantics of a clinical document.
The present version is 2.0 and is part of version 3 of HL7 standard and describes its semantic content in the Reference Information Model (RIM) [3]. On the other hand, paper documents have traditionally guaranteed its authorship and integrity by handwritten signature. That way it's certified that he is the single person in charge of what is written in the document. Furthermore, the signature is written at the end of the document to prove that what is authenticated has not been modified, signing at a later stage each modification or later writing made in the document. Medical setting works by this same modality, when the physician records in paper he/she signs at the end of the chart. Each later registry must be signed, and this single handwritten signature indicates the authorship and responsibility of any modification made from the previous signature. Digitalization of documents and transactions have contributed with great comfort to present life, improving the processes and keeping distances from preventing the accomplishment of proceedings and operations. Nevertheless, this lead to the impossibility of physically signing these documents, like was traditionally made. The use of simple electronic signatures, like “username and password”, does not fulfill all the requirements needed to replace the hand written signature in all the possible uses. Digital signature is a technological tool that guarantees the authorship and integrity of digital documents, giving them the same validity of those signed in paper. Using mathematical processes it relates the signed document with information from the signatory person, allowing other parts to recognize the signer identity, assuring that the contents have not been modified. In the present work we will describe the design, development and implementation process of a digitally signed clinical documents repository, created from an electronic health record, using CDA standard and the asymmetric key infrastructure (PKI - Public Key Infrastructure).
Objectives Materials and Methods Scenario The Italian Hospital of Buenos Aires (HIBA) is a tertiary care, teaching and research hospital with a 150 year old history. It has 650 inpatient beds with 3,000 monthly admissions and more than 150,000 outpatient monthly visits. Also has its own Health Maintenance Organization (HMO) that takes care of a population of 140,000 patients. Since 1998 a full scale HIS has been gradually implemented, including ambulatory Electronic Health Record (EHR), inpatient discharge summary, administrative systems, scheduling systems, inpatient tracking systems, pharmacy systems and complementary studies report and visualization. Several health informatics standards had been implemented, including HL7, CDA 2.0, ICD-9CM, DRG and ICD10 [4]. In order to achieve a suitable implementation, it was necessary to involve different hospital areas and ancillary services with information systems composed of local applications that solve specific needs. Therefore it was decided to use HL7 as communications standard between applications, which allowed maintaining functional independence and respecting the existing developments [5]. This information system is developed under JAVA technology, with J2EE enterprise architecture with 24x7 availability supported by an application servers cluster Oracle IAS 10G in RedHat Linux platform. The information model is mounted on a transactional data base Oracle 9i. Itálica The Electronic Health Record's has interfaces adapted for each healthcare setting. Thus we have an interface for the in patient setting, the emergency and the outpatient care setting. Ambulatory Electronic Health Record acts as a patient’s health information longitudinal record and it's fully implemented in the outpatient setting; is a problem oriented medical record. For the in patient and emergency settings are oriented to episodes. All the interfaces of electronic health record have an integrated computerized physician order entry (CPOE). CDA A CDA is a documents standard defined by HL7 that specifies the structure and semantics of clinical documents in order to achieve an accurate information exchange. It is defined as an information object that can include text, images, sound and other multimedia elements. Each CDA document is a XML document based on HL7's reference information model (RIM). XML is a very flexible language, which allows that a CDA document can have defined a set of labels for its documents or the different types of documents [6]. The RIM of HL7 is an object oriented methodology, which represents the data, events and messages deriving them from the semantic content of the RIM [7]. Each CDA document basically is made up of two main sections: header and body. The header contains within its main data the information of the document itself, like its identifier,
the type of document and version. Also includes the participants as the patient, the author, the physician, people in charge of the document, and finally, the relationships of the document with other documents, which can be other CDAs or for example a request of a complementary study. The body contains the clinical report, that keeps a structure, in which are included different sections for the different observations inquired. Each one of these sections contains a narrative text, which is obligatory and is allows that any person can read the document needing olny a web browser. It also may include one or many “entries” that are used to codify the specification given in the narrative text. Neither who generates the document nor who receives and processes it are forced to generate or process these “entries”. This implies that the CDA version 2 implementation in an information system can be something relatively simple, if only the narrative text is used, or truly complex if you want to include a detailed codification [8]. HL7 defines a set of minimum sections for the implementation of a CDA document: Header: contains data of the document in itself, like its scheme of reference, identifier of the document, type of document, its title, date, a code of confidentiality and its version. Record target: it indicates whom the document belongs to. In this case is a person fulfilling the patient role. Author: in some cases, the roll or the function of the author is inherent to the clinical code of the document, but basically it represents the person who makes the document. Custodian: represents the organization responsible for the generation of the document and is the one who is in charge of maintaining the document. Is the administrator responsible for the document, and each CDA has a custodian. Legal Authenticator: it represents the participant who had legally authenticated the document. Body: it includes the findings and observations of the health provider and corresponds to a structured body that includes several components. A digital document is the “digital representation of acts or facts” that is to say, any digital computer file, doesn't matter if it's text, picture, data base, e-mail, etc. Neither it doesn't matter the type media it's stored, disc, D-ROM, pen-drive, etc. Digital Signature Digital Signature is understood like the turn out of applying a mathematical procedure to a digital document that requires information arranged exclusively by the signer, being this one under its absolute control. In the elaboration of a digital signature and in its corresponding verification, complexes mathematical procedures are used based on the public infrastructure keys or asymmetric cryptography (PKI - Public Key Infrastructure). In an asymmetric cryptographic system, each user has a pair of keys of its own, called private and public key, strongly related to each other, but not possible to calculate one from the other. The public key is available for everybody, and the private one is only used by the signatory user.
The digital signature process begins with a mathematical function applied to the digital document, which allows obtaining a HASH (also called digest). In order to generate the HASH two basic elements are required the digital document to sign and the information of the signatory user, that is to say, the pair of keys. The HASH is a unique sequence of characters of a fixed length for each document and it cannot be used to generate the document, nor the original keys. In order to relate a public key with an individual (or organization) exist small digital documents called “digital certificates” that give faith of this relationship. These are emitted, and digitally signed as well by a Certifying Authority, that has to be qualified as “licensed certifier”. A certificate chain is then generated, beginning with the author's public key certificate, and it's called "Chain of Confidence". The verification of the signature requires the validation of all the certificate chain. Scenario Digital Signature Legislation in Argentina In 2001, bill number 25506 of "Digital Signature" was sanctioned, which was finally regulated in December of year 2002. It essentially recognizes the use of digital and electronic signature, and its legal validity, allowing the truthfully identification of individuals making electronic transactions. This way, when a document requires a handwritten signature, that exigency is also satisfied by a digital signature. This bill also describes in its fifth article the figure of electronic signature as an integrated electronic data set, related in a logical way to other electronic data, used by the signatory like his means of identification, which lacks some of the legal requirements to be considered digital signature. Then, electronic signature can be any signal, password, keyword that a person has assumed like symbol of his own identity, and the documents that that person signs using this key or code will be equivalent to a document signed in paper [9]. Medical Information Security Our project includes as a key issue the development of the security mechanisms needed to operate and maintain a decentralized medical record system, knowing that medical information security is based on five fundamental aspects: Privacy: medical information cannot be acceded by third parties not related to the attention process. No Disavowal: references the authorship of the document, only the person who possesses the digital signature is in charge of the generated and saved data. Authenticity: it refers to the character of authentic of a document, that is to say, that is the original one. Integrity: related to the previous one, talks about the content of the medical information preventing that it original content is altered. Chronology: directly related to integrity, allows keeping registry of the date and hour of the creation of the original information, thus giving the data a temporary sequence.
CDA documents creation The information system of our institution, registers all the medical events generated in the health care process. The clinical document generation begins with the medical encounter or health care event, for the outpatient setting is the aggregation of all the actions made:
Medical Problems.
Medical Progress Notes.
Orders Entered.
Clinical Observations.
Pharmacologic Prescriptions.
Date and Hour All these aggregated concepts represent a single medical event or health care event. All the medical data recorded by health care providers is recorded within these items. In this event is where providers capture all the information and attributes necessary to feed the clinical data repository. For in patient and emergency settings, clinical document example is the epicrisis; and, in the case of information generated by ancillary services, each procedure inquired is equivalent to a health care event, reason why it generates a document, using the information made in the report system. Figure 1 describes the creation process (and later signature of the clinical document), for the outpatient setting: 1. The user (physician) selects in the EHR the patient receiving health care, entering some personal data, or selecting it from his agenda of turns. Each patient who receives attention is registered in the master patient index of the hospital information system. 2. Relevant data of health care process is recorded. In this point are included the creation of medical problems, progress notes, pharmacologic prescriptions, request of complementary studies, request of referrals, etc. The application generates an episode of health and stores all the medical information into the clinical data repository. 3. A web service is in charge of generating a CDA document. This service recovers the medical information from clinical data repository of the hospital system and creates the document (a XML file). 4. The user is asked to validate the information through a confirmation process and the document is digitally signed. 5. The signed document and its control parameters are stored in file data system.
process of digital signature consists of collecting the entered medical data, and then a XML file is created. The XML is a growing standard mainly used in Web settings; it helps to generate security aspects, like the recently implemented digital signature. Security in XML combines cryptographic algorithms with XML technology offering secure settings for the users as for the applications [10]. In order to guarantee its integrity and authenticity, a digital document must fulfil three basic characteristics: Having a HASH to guarantee the document’s integrity. Been signed with private and public key system, to guarantee its authorship.
Figure 1 - Process of creation and signature of clinical documents. The visualization of the document can be personalized using a XSL style sheet. Figure 2 visualizes a CDA which was applied a style sheet of our design, which directly allows its visualization from any web browser of Internet.
Figure 2 – Visualization of a CDA document Digital Signature of Medical Documents HIBA took the initiative to create its own PKI by developing an “in house” application that makes possible to lead all the process of creation and administration of public and private keys and digital certificates. Using the standard proposed by HL7 in its “Clinical Document Architecture” (CDA), clinical documents repository is generated, these are on which the digital signature will be applied (and not the transactional analytical data bases). The
Having a Time Stamping service, that guarantees document’s temporality. In our project, public and private keys are stored in a cryptographic USB E-Token given to providers and its asked for its insertion at the moment of the signature. The E-Token is an electronic component with USB (Universal Serial Bus) interface, similar to a flash type memory (pendrive), but this one has a microchip that has the ability to store and to process cryptographic algorithms. When a XML clinical document is created, the application calculates a single HASH value and encrypts it using the private key stored in the E-token. This encrypted file maintains its original information and the digital certificate [11]. Documents time stamping is one of the most complex and problematic processes in the implementation of digital signature of medical documents. The exact moment when the primary load of information happened is one of the most important variants, since the medical document existence at a certain moment in time must be determined in a safe way. We chose to generate a process of time stamping digitally signed by the emitting system and guarantees this way the veracity of the process and the digital identity of the organization that extends the stamp. Then it can be assured that such document existed in the date and time established in the stamp.
Figure 3 – Time Stamping Process This digitally signed time registry is stored with the document signed by the user, guaranteeing the integrity of the date and time in which the medical event took place in the case of heavy users’ access. In addition, a digitally signed time stamp file is stored to an active file for historical validation (see figure 3). The process allows the validation of the digital certificate of generated XML file, extracting the public key from it. The message is decrypted, the HASH re-calculated and compared with the signed XML document. This process allows maintaining a version of the medical document, detecting possible alterations in the original record.
Discussion The versatility of CDA standard is shown at the implementation, when it demonstrates all its potential, centralized in the semantic structure and a standard medical vocabulary. It’s extremely complex to make clinical notes available in free text format for users’ welfare. As well, the complexity of our information systems and its interaction with other software components that offer fundamental services for the hospital information system, as are the terminological services or master files, adds an additional complexity for the creation, but fulfils the objective of manage to improve the semantic understanding of the information available [12]. The most remarkable points of the implementation are: Persistence: inalterability of the document through time. Modifications are represented by versioning system. Administration: the document is administered by a person or organization, being these in charge of the veracity of the information. Authentication: document’s XML structure allows the use of a standard security system like digital signature or infrastructure of public and private keys (PKI). Legibility: The document can be read by a person and can be processed by usual tools, like web browsers, with no need to use additional software or components. Independence of platforms: The document, when codified in a standard language (XML), don’t depends on the operating system or programming languages, making possible to process it under any system or platform and to obtain a customized visualization through the use of style sheets (XSL). Impact in Health Care Traditionally a physician values his identity only once, when accessing the EHR, typing his username and password. This password is granted after the professional signs (hand written) a confidentiality agreement when concluding its qualification in the use of the system. All the actions conducted by the provider through the EHR registered to his user name. The summary of providers work, documented in a single XML file, adding Digital and Electronic Signature, provided by the
E-token, will allow the creation of a trustworthy and unique registry of the medical acts. On the other hand, current graphical interfaces, although provide improvements in usability and information visualization, does not correspond with the traditional charts in paper. Traditionally the professionals records their observations and findings in documents and then sign them. The implementation of CDA and Digital/Electronic Signature maintains this sequence.
Conclusion The implementation of this solution allowed users to access laboratory results, imaging reporting, referral notes, discharge letters, progress notes, diagnoses, procedures and medical prescriptions, in a fully legible format and the possibility of information processing for its later inclusion in other information systems or related health cares applications. Documents visualization was personalized using XSL style sheets being able to render styles, typographies and icons recognized and validated by the institution. On the other hand, XML structuring allowed the implementation of digitally signed clinical documents using PKI infrastructure granting legal validity of documents according to local regulations. The aggregation of a time stamping service (also digitally signed), will allow temporality to this unique registry of medical acts. CDA standard implementation with the aggregate of digital/electronic signature in an electronic health record is a true challenge, since it entails an important technological and organizational impact. At this moment we are carrying out a pilot test for the completion of the system and the norms and procedures created to such aim.
References [1] Muller ML, Uckert F, Burkle T, Prokosch HU. Crossinstitutional data exchange using the clinical document architecture (CDA). Int J Med Inform 2005;74(2-4):245-56. [2] HL7. Health Level Seven. An application protocol for electronic data exchange in healthcare environments. Version 2.3. Health Level Seven Chapter 7, Ann Arbor Michigan, 1997. [3] Dolin RH, Alschuler L, Boyer S, Beebe C, Behlen FM, Biron PV, Shabo Shvo A. HL7 Clinical Document Architecture, Release 2. J Am Med Inform Assoc 2006;13(1):30-9. [4] Gonzalez Bernaldo de Quiros F, et al. Migración a plataforma web de una Historia Clínica Electrónica. In CBIS'2004 - IX Congresso Brasileiro de Informática em Saúde; 2004; Ribeirão Preto-SP. Brasil [5] Gomez A, Gonzalez Bernaldo de Quiros F et al. Implementación de un sistema de mensajeria electrónica HL7- para la integración de un sistema multiplataforma. In 4to Simposio de Informática en Salud - 30 JAIIO; 2001; Buenos Aires, Argentina. [6] Dolin RH, Alschuler L, Boyer S, Beebe C. An update on HL7's XML-based document representation standards. Proc AMIA Symp 2000:190-4.
[7] Gerdsen F, Mueller S, Jablonski S, Prokosch HU. Standardized Exchange of Medical Data between a Research Database, an Electronic Patient Record and an Electronic Health Record using CDA/SCIPHOX. AMIA Annu Symp Proc 2005:963. [8] Paterson GI, Abidi SS, Soroka SD. HealthInfoCDA: Case Composition Using Electronic Health Record Data Sources. Stud Health Technol Inform 2005;116:137-42. [9] Ley 25506 - Ley de Firma Digital., in Boletín Oficial de la República Argentina. 2001. p. 1. [10] XML-Signature Syntax and Processing, I.R.S. 3075, Editor. 2001, IETF RFC Standard 3075. [11] Imamura, T.D., B. Simon, E., XML Encryption Syntax and Processing. 2002, W3C. [12] Lopez Osornio A. et al. Desarrollo de un servidor de terminología clínico. In: 8mo Simposio de Informática en Salud - 34 JAIIO; 2005; Santa Fé, Argentina. Address for correspondence Dr. Fernán Gonzalez Bernaldo de Quirós Vice-Director Médico Estratégico – Hospital Italiano de Buenos Aires Gascon 450 (1181) Buenos Aires, Argentina
[email protected]
