Electronic Signature for Medical

321 © 2002

Schattauer GmbH

Electronic Signature for Medical Documents – Integration and Evaluation of a Public Key Infrastructure in Hospitals R. Brandner 1, M. van der Haak 1, M. Hartmann 2, R. Haux 1, P. Schmücker 1 1 Department of Medical Informatics, University of Heidelberg, Germany 2 Department of Dermatology, Heidelberg University Medical Center, Germany

Summary Objectives: Our objectives were to determine the user-oriented and legal requirements for a Public Key Infrastructure (PKI) for electronic signatures for medical documents, and to translate these requirements into a general model for a signature system. A prototype of this model was then implemented and evaluated in clinical routine use. Methods: Analyses of documents, processes, interviews, observations, and of the available literature supplied the foundations for the development of the signature system model. Eight participants of the Department of Dermatology of the Heidelberg University Medical Center evaluated the implemented prototype from December 2000 to January 2001, during the course of an intervention study. By means of questionnaires, interviews, observations and database analyses, the usefulness and user acceptance of the electronic signature and its integration into electronic discharge letters were established. Results: Since the major part of medical documents generated in a hospital are signature-relevant, they will require electronic signatures in the future. A PKI must meet the multitude of responsibilities and security needs required in a hospital. Also, the signature functionality must be integrated directly into the workflow surrounding document creation. A developed signature model, fulfilling user-oriented and legal requirements, was implemented using hard and software components that conform to the German Signature Law. It was integrated into the existing hospital information system of the Heidelberg University Medical Center. At the end of the intervention study, the average acceptance scores achieved were x- = 3,90; sD = 0,42 on a scale of 1 (very negative attitude) to 5 (very positive attitude) for the electronic signature procedure. Acceptance of the integration into computer-supported discharge letter writing reached x- = 3,91; sD = 0,47. On average, the discharge letters were completed 7.18 days earlier. Conclusion: The electronic signature is indispensable for the further development of electronic patient records. Applicationindependent hard and software components, in accordance with the signature law, must be integrated into electronic patient records, and provided to certification services using standardized interfaces. Signature-oriented workflow and document management components are essential for user acceptance in routine clinical use.

Keywords

Electronic patient records, data security, public key infrastructure, electronic signature

Methods Inf Med 2002; 41: 321–30 Received October 24, 2001 Accepted January 30, 2002

1. Introduction Today, health care is characterized by a high specialization of health care institutions. The various institutions are placed in the position of co-operating with one another in the patient care process, often called shared care. Therefore, adequate communication between the institutions involved in the care processes is a basic precondition for the efficiency and economic viability of medical care. The number of electronic patient record systems supporting the necessary data exchange is constantly increasing (1, 2, 3). Due to several shortcomings of paper-based patient records (4, 5), a transition towards electronic patient records has taken place in many health care institutions. Because of the steady increase in electronic storage and communication of highly sensitive medical data, questions of data security have arisen. Data protection and data security are not only demanded by the patient, but also required by several laws and regulations in many countries. New security concepts, based predominantly on cryptographic methods, must be integrated into the transition from conventional, paper-based patient records to electronic patient records (6). In addition to encrypting electronic data to ensure confidentiality and secrecy, the electronic signature secures data integrity and authenticity, and is of great benefit to the electronic patient record (7). In order to substitute the handwritten signature, electronic signatures must ensure responsibility and nonrepudiation, as well as the prevention of forgery and reuse (6 ).

Electronic signatures are based on the asymmetric cryptography method. A corresponding pair of keys is used, consisting of a private and a public cryptographic key. Diffie and Hellmann (8) laid down the theoretical foundations of asymmetric cryptography in 1976. To sign a document electronically, an unambiguous checksum of a determined length is calculated for the electronic document with the help of a hash function. This checksum is encrypted with the private key of the signing person. It is then attached to the document as the signature. The electronic signature can then be checked by means of the corresponding public key, which is freely available to any person. In order to check the integrity of an electronic document, the checksum of the document is recalculated with the help of a hash function. The public key is needed to decrypt the electronic signature. If both checksums are identical, the integrity of the electronic document has been ensured. The authenticity of the pair of keys is ensured by means of a certificate. Certificates are specific electronic documents that associate the public key with the identification data of the key holder, which are signed electronically by so-called certification service providers. In this way, it can be assured that the person who signed the document electronically is the one claimed. Certification service providers, who fulfill the function of a Trusted Third Party, issue the certificates and offer other services connected with electronic signatures, e.g. directory services. By means of these services, the certificates are published and can be checked by everyone. The complete infrastructure necessary for carrying out the procedures of Methods Inf Med 4/2002

322 Brandner et al.

electronic signature is known as Public Key Infrastructure (PKI) (9). In Germany, electronic signatures received legal acceptance by means of the Signature Law of 1997 (10). The German Signature Law established technical and organizational conditions for the secure creation and verification of electronic signatures. Despite the high security requirements defined by the Signature Law (e.g., the obligation to obtain official approval of certification service providers, the evaluation of technical components according to established security standards, such as the ITSEC – Information Technology Security Evaluation Criteria), legal equality of the electronic signature with the handwritten signature hasn’t been achieved in Germany so far. The European Directive toward a Community framework for electronic signatures (11), which must be put into action by national legislation of the member states by the middle of the year 2001, aims at harmonizing secure data exchange within the European Union.The directive also aims at the creation of a foundation for the legal equality of electronically signed documents and hand-signed documents. Although the electronic signature has been accepted legally in Germany for quite some time, it has not achieved general establishment in practice. This was not only due to the lack of equality to hand-signed documents, but also to its lack of integration into complex organizational structures. As with electronic patient records systems, the success of its implementation and use depends, to a large extent, on the integration into a complex organizational field (12). Implemented security technology will not be used consequently if the users are not convinced of the benefits and the security of the tools (13). In the Heidelberg University Medical Center, approximately 6 million pages of medical documents are produced every year. This corresponds to a need of approx. 1500 meters of archive shelf space (4). Due to the shortcomings of conventional paperbased archiving, a multi-media electronic patient record, in the form of a digital archive, has gradually been introduced since 1995. Electronic documents generated by different user systems are directly indexed and adopted into the electronic Methods Inf Med 4/2002

patient record via standardized interfaces, whereas paper-based documents are first scanned and then adopted. The electronic patient record can be viewed using a health professional workstation system, IS-H*MED, at more than 1200 workplaces throughout the Heidelberg University Medical Center. In order to ensure the evidence-quality of the electronic documents, at the moment they are additionally printed, signed by handwritten signature and then conventionally archived. This, however, is inconsistent with the economic viability of digital archiving. This paper describes requirements and possible solutions for user-oriented PKIs for electronic signatures for medical documents in hospitals, taking the German Signature Law into account to obtain legal acceptance of the electronically signed documents. First, the user-oriented requirements of a PKI in a hospital are presented. Taking these requirements into account, a signature system model was developed that encapsulates the necessary signature functionality. The model can be integrated into any computer-based application system. The implemented prototype of the system is described following a brief presentation of the developments of the market for services and products conforming to the Signature Law. The last chapter describes the results of our intervention study in the course of which the system was tested in clinical routine.

2. Material and Methods A document analysis of paper-based patient records, and process analyses in different departments of Heidelberg University Medical Center, was conducted. Also, several interviews and observations were conducted to determine the types of signature-relevant documents and to analyze the processes of their creation. The document analysis was performed on the basis of a random sample of 48 paper-based patient records of the Ear, Nose and Throat Dept. of the Heidelberg University Medical Center. On the basis of these user-oriented requirements, and of an analysis of the

literature on legal requirements, models for PKIs in hospitals were developed in accordance with the Signature Law. A market analysis of hard and software components available for electronic signatures formed the foundation for the integration of the PKI into the existing health professional workstation system.The health professional workstations were equipped with Cardman Desktop Compact smartcard readers, Utimaco Software AG, Germany. The storage and use of the private signature key took place on Telesec Signature Cards, PKS-Card 2.0, using the SLE66CX160S chip, Siemens AG, Germany, and TCOS 2.0 (Telesec Chipcard Operating System), Deutsche Telekom AG, Product Center Telesec. The integration of the signature functionality into the health professional workstation system was performed using security tools from Secude GmbH (14). In order to evaluate the usefulness of the concepts and the integrated technical solutions practically, a pilot study was performed in both the inpatient and outpatient areas of the Department of Dermatology of the Heidelberg University Medical Center. Six physicians and two typists (n = 8) took part in this study. During the twomonth study period (01.12.2000–31.01. 2001), all discharge letters were signed electronically. By means of questionnaires, interviews, observations and database analyses in IS-H*MED, the usefulness and user acceptance of the electronic signature and its integration into electronic discharge letter writing were established. Before the start of the study, user satisfaction with electronic discharge letter writing functionality, according to (15), as well as the expectation of the users towards electronic signatures, were established. At the end of the study, the users were re-interviewed to determine changes in user acceptance due to the practical use of the electronic signature. In order to evaluate the questionnaires, acceptance scores of different categories were calculated that mirror user satisfaction on a scale of 1 to 5 (1 = very negative attitude, 2 = negative attitude, 3 = neutral attitude, 4 = positive attitude, 5 = very positive attitude).Additionally, the ability of self-description, the conformity expectation, and the ease of learning to use

323 Public Key Infrastructure

the employed security software were established based on a questionnaire, according to ISO 9241 (16).At the end of the study, the study participants were asked about their overall satisfaction with the security solution and its further use. In order to determine the influence of the electronic signature on the duration of electronic discharge letter writing, database analyses in IS-H*MED were performed for two random samples, each with 60 handwritten and electronically signed discharge letters. On the basis of the status protocols, the mean duration was calculated from electronic creation up to archiving, including the handwritten and electronic signatures of the discharge letters.

is sent to the physician who will continue the treatment of the patient, is actually signed. The above observations clearly show the importance that will be accorded the electronic signature in the future, as well as the responsibilities and security needs that must be taken into account during the conception of electronic signature solutions. Document creation processes depend on the type of document and the generating institution. Therefore, they are very variable and of a different complexity. Sometimes, several people are involved in the generation

of a document. In cases of extensive electronic documentation, typists often take on the job of electronic document creation. In this case, the physician dictates the content of the document by means of a dictaphone. The data generated by the health professional workstation system, such as diagnoses and therapies, are transferred to the electronic documents. The physicians either conduct the checks and corrections of the documents directly on the computer, or they pass the paper-based corrections on to the typists, who enter them into the computer. Follow-

Table 1 Types of signature-relevant document and the corresponding signature-authorized personnel. Results of a document analysis performed on 48 paper-based patient records of the Ear, Nose and Throat Dept. of the Heidelberg University Medical Center in 1999.

3. Results 3.1 Signature-Relevant Medical Documents and the Processes of their Creation Conventional paper-based patient records contain a large number of different document types, most of which are signaturerelevant. Table 1 presents the results of a document analysis conducted in the Ear, Nose, and Throat Department of Heidelberg University Medical Center with the aim to examine the signature relevance of the documents. Major signature-relevant document types are the generic classes of accompanying documentation, documentation of surgical reports, nursing documentation, as well as examination orders and results. Laboratory and departmental examination orders are also signed, but not the corresponding results, due to their electronic creation. Most often, the documents are signed by the responsible physician, however the nursing staff and the patients also sign documents. Some document types, e.g. discharge letters, are signed by several people, i.e. by the treating junior physician, the responsible physician, and, in several medical departments also by the superintendent. That signature-relevant documents in conventional patient records are sometimes not signed is partly attributed to the fact that only the original document, which Methods Inf Med 4/2002

324 Brandner et al.

ing electronic creation and correction, the documents are printed, hand-signed, sent to the institution responsible for further treatment, and then archived in the conventional paper-based record. The electronic documentation is archived in the electronic patient record. As an example, the activity diagram of the creation process of a discharge letter within the Department of Dermatology of the Heidelberg University Medical Center shows the complexity and the multiple medium switches during document creation (Fig. 1). The specific creation process of the documents must be taken into account when integrating the electronic signature into electronic patients records. Otherwise, health professionals could be burdened with additional security functionality.

tain tasks to a third institution as long as it takes the security concept of the certification service into account. In order to prove that the technical and administrative security has been checked extensively, a certification service provider can, voluntarily, be accredited. For this reason, the term “accredited electronic signature” is used.A PKI in a hospital must fulfill the existing legal requirements. On the other hand, it must satisfy the user-oriented requirements in clinical routine. The model of a distributed PKI is presented in Fig. 2. A Registration Authority (RA) carries out part of the tasks immediately. The RA is responsible for reliable user identification and registration. It can also support users in their request and

revocation of certificates, and distribute the smartcards. The Certification Authority (CA) is responsible for generating certificates and certificate revocation lists (CRL), and their publication through the Directory Service (DIR). For security reasons, the CA can also securely generate and store the signature key on the smartcard. Further, the CA can take over personalization of the smartcard. In order to accelerate smartcard issuance, the RA can also carry out these activities immediately. The time stamp service (TS) is necessary to store the time point at which the electronic signatures became valid, and to renew electronic signatures before their security duration expires.

3.2 Building of a PKI in a Hospital in Accordance to the Signature Law 3.2.1 Security Levels according to the German Signature Law The German Signature Law (17), which was revised according to the European Directive and became effective on May 22, 2001, describes different levels of security for electronic signatures, and, herewith, meets the different security requirements of different application fields within health care. The German Signature Law differentiates, as does the European Directive, between simple and advanced electronic signatures on a lower security level. No legal regulations are foreseen for generating and verifying electronic signatures on these security levels. The German Signature Law also distinguishes between qualified and accredited electronic signatures. For these signatures, legal restrictions apply to the PKI. According to German legislation, only electronic signatures of these security levels are considered equal to handwritten signatures.

3.2.2 Certification Services To guarantee security, the German Signature Law accepts the role of the service provider. In principle, no authorization is necessary to run a certification service. A certification service provider is allowed to delegate cerMethods Inf Med 4/2002

Fig. 1 UML Activity diagram of the work process of writing a discharge letter within the Department of Dermatology of Heidelberg University Medical Center.


In health care, it is necessary to check if a person is qualified as a health professional. This can be achieved by means of socalled attribute certificates.The responsible professional associations and organizations can use these certificates to confirm the medical qualification of the users. For German physicians, “Landesärztekammern” carry out confirmation. Nurses, however, do not have such a professional organization. The lack of a unique platform for registering all health professionals in Germany complicates the process of issuing attribute certificates. Introducing a unique identification card for each health care participant could solve this problem. Responsible professional institutions and organizations can attach several attribute certificates.

3.2.3 User Components of the Electronic Signature According to the German Signature Law, the user components for generating and verifying qualified and accredited electronic signatures are divided into signature generation components and signature application components. Signature generation components are used for secure storage and for the private signature key, for instance, on multifunctional smartcards. They must be checked according to security standards, such as ITSEC. In the field of health care, the Health Professional Card (HPC) must meet these security requirements.The HPC is defined on the European level by the ENV 13729 standard: Health informatics – Secure user identification for healthcare strong authentication using microprocessor cards (18), and in Germany by the HPC-D (physician): German Health Professional Card – specification physician (19). Beside physicians, other professional groups working in the hospital, such as nursing staff, pharmacists, clerical assistants etc., must also be integrated in the PKI. They will need multi-functional chip cards with cryptographic functionality to allow secure use of the electronic signature, authentication to computer systems, and encryption of electronic data for transport. Beside these application fields, further requirements for multi-functional chip cards apply in

Fig. 2 Model of a Public Key Infrastructure (PKI) in hospitals.

hospitals. For example, in form of employee identification cards, sight identification cards, cashless payment, or contact-free room entry. In order to ensure the interoperability of multi-functional smartcards in health care, the technical and organizational concepts for health care professional cards, organization-specific employee identification cards, and smartcards conform to the Signature Law must be harmonized. Signature application components transmit electronic data to the signature generation component, or check electronic signatures. For qualified electronic signatures, according to the German Signature Law, producer declarations concerning the functionality and security of signature application components are sufficient. For accredited electronic signatures, however, signature application components, meeting ITSEC standards, are demanded. In order to avoid a security check of complete electronic patient record systems, according to the Signature Law, independent signature application components should be integrated. The signature system model (Fig. 3) developed in the course of the project encapsulates the signature functionality and provides interfaces to the necessary certification services, as well as integration into any electronic patient record system. The signature functionality can be started via defined interfaces from the electronic patient record system. In order to

guarantee that the signature system is application-independent, the electronic patient record system must allow extented document management functions, workflow components, and authorization concepts for user-oriented application of the signature functionality. This implies, for instance, the use of user or role-specific authorization for generating electronic signatures by integrating the above mentioned certificates, or attribute certificates, in the user administration of the electronic patient record system. Thus, for example, the typist is not allowed to sign a discharge letter electronically, whereas the treating physician is allowed to sign it. In addition, the processing status of a document must be taken into account, because the document can only be modified, and, therefore, signed electronically, before it has been archived. In contrast, checking an electronic signature is independent of the user, his role, or the processing status of the document. ● The control component is the central component of the signature system. It receives signature requests from the computer-based application system, analyzes them, and transmits them to other components. ● The signing component is used to securely generate electronic signatures by making use of multi-functional smartcards. The component must clearly indicate the generation of the electronic sigMethods Inf Med 4/2002

326 Brandner et al.

●

nature beforehand, and must verify to which data the signature applies. The signing component must be able to generate multiple signatures and to store the signature in a standardized format. The verification component serves the secure verification of the integrity and authenticity of electronically signed documents. Verification is carried out without use of the smartcard, since only the public key of the certificate is needed for the integrity verification of the signed document. The authenticity can be verified either by means of the certificate information from the signed document, or by the directory service. The verification component must be provided with interfaces to the directory services, from which certificate revocation lists and certificate status queries must be requested and analyzed. The time of verification must be variable and

●

should not be restricted to the current date. This is necessary to allow verification of electronic signatures even after a certain period of time. The verification result must clearly indicate to which data the electronic signature applies, that these have been unaltered, by whom the signature was generated, if the corresponding certificates are available at the time of verification, and that the certificates have not been revoked. The representation component serves the unambiguous presentation of the documents that need to be signed or checked to establish to which content the signatures refer. For this purpose, standardization of data formats, layout definition, as well as other external aspects concerning the presentation and functionality of the navigation or content retrieval are necessary. In this context, the representation component is

Fig. 3 Model of a signature system for the integration of signature functionality into electronic patient records.

Methods Inf Med 4/2002

●

seen as a mere presentation component that does not allow a modification of the contents of the document. The conversion component serves the transformation of the signature-relevant documents into a standardized format. The conversion component must, above all, guarantee the preservation of the contents, and presentation of an electronic document. Because of the great number of currently used and partly proprietary document formats, it is necessary to convert electronic documents into a uniform, standardized format. Otherwise, considering the enormous speed of technological developments, one can hardly imagine that adequate representation components will be available following an archiving period of 30 years or more. A document, for instance, that has been generated using Microsoft Winword 1.0 could probably


●

●

not be interpreted correctly today, yet the electronic signature would still be valid. The print component is used to print the contents of electronically signed documents to make them accessible via conventional media. Before printing, the electronically signed document must be verified by the verification component. The result of the verification must be visible on the printout. The renewal component serves to ensure the long-term security of electronically signed documents. Electronic signatures possess a limited lifespan due to the use of cryptographic algorithms. Before final confirmation of security of the cryptographic algorithm used, electronically signed documents must be re-signed using a time stamp service, using secure algorithms and key lengths.

3.2.4 Market Developments of Services and Products Offered Satisfying the Signature Law In Germany, the hardware and software component market for electronic signature and approval certification service providers satisfying the German Signature Law has developed slowly during the last few years. On the one hand, the necessary revision of the Signature Law, as a result of its divergences from the European Directive generated some uncertainty on the side of the suppliers. On the other hand, high security requirements of the German Signature Law, as well as the lengthy evaluation processes, have slowed down the development. Meanwhile, 13 accredited suppliers offer various certification services according to the German Signature Law. Among these, 10 represent so-called virtual trust centers, which take on parts of the tasks ensured by the 3 providers of full certification services. There is only one certification service provider who is specialized in health care. In cooperation with a Landesärztekammer, this service issues electronic identification cards to physicians. Three different suppliers currently offer smartcards that satisfy the Signature Law.The necessary readers are provided by 4 suppliers. At the moment, 9 signature

application components are available from 5 different suppliers. These are offered either as a complete software application, as a plug-in for e-mail systems, or as function libraries. Lacking functionality (multiple signatures, linkage to time stamp services etc.) and limited interoperability of the PKI components currently make an investmentsecure integration into existing systems difficult. At the moment, users criticize the high costs of building a PKI and the organizational expenditures linked to this task.

3.2.5 Building and Integrating the Prototype In Fig. 4, the procedures implemented in the pilot project, and the integrated hard and software components, are presented graphically using a 3-level model (29). The employed smartcards and readers, as well as the library for integrating the signature functionality into the health professional workstation, are provided with a confirmation according to the German Signature Law. All components of the signature system model (Fig. 3), except the renewal component, were implemented in the prototype. The discharge letters generated in IS-H*MED, as Microsoft Word documents, were converted into TIFF-format images by means of the conversion component before generating the electronic signature. During generation and verification, the document contents were presented via the representation component, which is equipped with a zoom and scrolling functionality, as well as with thumbnails to allow a faster navigation in documents spanning several pages. The signing component supports the PC/SC standard for communication with the smartcard. At the moment, the RSA algorithm (20, 21), with a key length of 1024 and classified as secure, is used as the signature algorithm, and SHA-1 (22, 23) as the hash function. The electronically signed documents are stored in PKCS#7 format (24), which supports the necessary multiple signatures, for example, by the junior physician and the responsible physician, in the form of countersignatures. The verification component is provided with LDAP (Lightweight Directory Access Protocol) (25) and OCSP (Online Certificate Status Protocol)

(26) interfaces to the directory service to allow verification of the certificates.

3.3 Benefits and User Acceptance of the Electronic Signature in Clinical Routine Physicians and clerical assistants of the “Neisser” ward and of the outpatient area of the allergies, professional and environmental diseases ward of the Department of Dermatology of the Heidelberg University Medical Center participated in the evaluation study.The medical activity fields of the participating institutions stretch from conservative dermatology and allergology to HIV- and AIDS-treatment. Especially in the last field, highly sensitive treatment data accrues. All 8 study participants had more than 1 year of experience in using the electronic discharge letter writing component of IS-H*MED, which they use several times a week. They estimate their computer knowledge as average to good. The average acceptance score of the user satisfaction was rather positive and ranged (x– = 3,5; sD = 0,96). The users expect an increased security of their electronic documents from the electronic signature. The quality of the evidence used in the documents is very important to them. Although they can only partly estimate the security of the procedure, they trust the secure implementation in the electronic patient record system. The users valued the time expenditure as unproblematic for generating an electronic signature, which, for the hardware and software components used, amounts to approx. 7 s. However, it was hard for them to estimate the validity of their verification. Due to the simple use, the users see legally conform electronic signatures as a practicable replacement for manual signatures. The expectation of the users toward the electronic signature procedure was relatively high (x– = 3,78; sD = 0,54) prior to introduction to clin-ical routine. Due to the practical experiences gained during the course of the study, the average acceptance score of the user acceptance rose slightly, without changing significantly (x– = 3,90; sD = 0,42). Methods Inf Med 4/2002

328 Brandner et al.

Fig. 4 3-level graph-based model (29) of the hardware and software components used in the Department of Dermatology of Heidelberg University Medical Center for digitally signing discharge letters.

The interviewed physicians and clerical assistants believe that signing discharge letters electronically makes sense, because it proves to save a great deal of work, and optimizes the timely completion of discharge letters. E.g., after the computer-based check and corrections are made, physicians do not have to re-check the printed discharge letters before giving their handwritten signature. The clerical assistants are relieved of the burden of copying discharge letters on paper, as well as of long searches and processing time. The users valued the integration of the electronic signature into the procedures of electronic discharge letter writing positively. In order to ensure the Methods Inf Med 4/2002

extensive security needs of medical documents, the signature functionality must be integrated directly into the electronic patient record systems. The user expectation toward integration of the electronic signature into clinical routine was relatively high (x– = 3,73; sD = 0,40) prior to introduction to clinical routine. Due to the practical experiences gained during the course of the study, the average acceptance score of the user acceptance rose slightly, without changing significantly (x– = 3,91; sD = 0,47). The ergonomics of the user interface of the signature module generally received positive ratings, specifically regarding the four categories of appropriateness of tasks

(x– = 4,20; sD = 0,44), self description (x– = 4,07; sD = 0,62), conformity to expectations (x– = 4,23; sD = 0,36) and learning to use (x– = 4,03; sD = 0,47). The general user satisfaction of the prototype of the integrated signature module clearly received positive ratings (x– = 4,38; sD = 0,52).The users would continue to use it for generating electronic signatures for discharge letters in clinical routine in the future. The subjective ratings of the users concerning a faster completion of discharge letters can be confirmed by the objective analyses of the status protocols of the discharge letters in IS-H*MED. The average total duration of the electronic dis-


charge letter writing was significantly shorter during the intervening period than in a comparable period of time during the previous year. On average, the discharge letters were completed 7.18 days earlier. This corresponds roughly to the period of time in which the different people involved signed a discharge letter by hand.

4. Discussion and Conclusions Most of the medical documents in hospitals are signature-relevant. Upon electronic creation, these documents must, in order to ensure integrity and authenticity, be signed electronically. The analysis of the business processes during creation of the documents forms the foundation for user-suitable integration of the electronic signature, and, therefore, the success of the security solution. In clinical routine, the procedure will only be accepted if the performance of the signature functionality and the necessary user interfaces optimally support the complex business processes. The creation, signature, communication, and long-term archiving of medical documents must be based on internationally accepted standards, because a future conversion of electronically signed documents is only partly possible. It is possible for electronic signatures in health care if they are supported by relevant standards, such as XML, DICOM, and HL7 (27, 28). The applications themselves must support the procedures of electronic signatures in order to ensure the security of the signed documents. For integration, modular software tools provide the necessary functionalities and interfaces. Beside the user demands, PKIs in health care must satisfy the respective national legal requirements, which, e.g., in Germany, are set forth by the Signature Law. This is necessary to obtain legal acceptance of electronically signed documents that is equal to that of hand-signed documents. Today, in Germany, accredited certification service providers offer concepts that are in accordance to the Signature Law and that facilitate the user-oriented issuance of multifunctional chip cards and certificates in

health care.These must be taken up and implemented across the organization and profession to facilitate secure electronic data exchange in health care. The prototype we developed for signing discharge letters electronically was integrated into the existing information system infrastructure of the Heidelberg University Medical Center. Due to the integration of application independent software components that satisfy the Signature Law, electronic signatures can be given from the health professional workstation system IS-H*MED. The fact that this system is installed in more than 140 institutions, mainly in Europe and Asia, the application is not only limited to the Heidelberg University Medical Center, but can also be applied to other health care institutions. For clinical routine use, the document management functionality, as well as the user administration of IS-H*MED, must be extended. By means of an evaluation study in clinical routine, first practical scientific findings of the users’ views of the use of electronic signatures on medical documents could be gained. In the examined documentation scenarios, the use of electronic signatures for signature-relevant documents generated by electronic patient record systems saved a great deal of work. This resulted in time savings of seven days, which is certainly of clinical, and sometimes even economic, importance. The timely completion of discharge letters is a prerequisite for further patient treatment and increases the efficiency of medical care. In some countries, e.g., in the USA, billing cannot begin until the discharge summary is completed and signed. Generally, the study participants had a positive attitude towards the procedures of electronic signatures and their integration into electronic discharge letter writing. Due to different prevailing conditions, a transfer of the study results to other institutions and documentation scenarios is only partly possible and should be investigated through more extensive controlled trials. Due to the use of law-conform electronic signature components, probative electronic medical documentation can be realized. Therefore, a further step towards the electronic patient record can be made.

Once legal regulations are observed, and the long-term security of electronic signed documents is ensured, it will be possible to build revision-secure digital archives that are in accordance with the regulations.

References 1. van Bemmel JH. Toward a Virtual Electronic Patient Record. MD Comput 1999; 16 (6): 20-1. 2. Smith E, Eloff JH. Security in health-care information systems – current trends. Int J Med Inf 1999; 54 (1): 39-54. 3. Blobel B. The European Trust Health Project experiences with implementing a security infrastructure. Int J Med Inf 2000; 60 (2): 193-201. 4. Dujat C, Haux R, Schmücker P, Winter A. Digital Optical Archiving of Medical Records in Hospital Information Systems – A Practical Approach Towards the Computer-based Patient Record? Methods Inf Med 1995; 34 (5): 489-97. 5. Safran C, Goldberg H. Electronic patient records and the impact of the Internet. Int J Med Inf 2000; 60 (2): 77-83. 6. Epstein MA, Pasieka MS, Lord WP, Wong STC, Mankovich NJ. Security for the Digital Information Age of Medicine: Issues, Applications, and Implementation. J Digit Imaging 1998; 11 (1): 33-4. 7. van Dyk J. Public Key Infrastructure – Securing the Exchange of Health Information. MD Comput 2000; 17 (5): 44-6. 8. Diffie W, Hellmann ME. New Directions in Cryptography. IEEE Trans Inf Theory 1976; 22 (6): 644-54. 9. ISO 7498-2. Information processing systems – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture. International Organization for Standardization JTC 1. 1989. 10. SigG 1997. Federal Act Establishing the General Conditions for Information and Communication Services – Information and Communication Services Act – Article 3 Digital Signature Act. Bundesgesetzblatt Teil I 52: 1872-6. 11. SigR 2000. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal of the European Communities L13: 12-20. 12. Anderson JG, Aydin CE, Jay SJ. Evaluating Health Care Information Systems: Methods and Application. Thousand Oaks (California): Sage Publications; 1994. 13. O’Brien DG, Yasnoff WA. Privacy, Confidentiality, and Security in Information Systems of State Health Agencies.Am J Prev Med 1999; 16 (4): 351-8. 14. Secude. Security Development Environment for Open Systems. Darmstadt: Secude Sicherheitstechnologie Informationssysteme GmbH; 1997. 15. Boy O, Ohmann C, Aust B, Eich HP, Koller M, Knode O et al. Systematische Evaluierung der


330 Brandner et al.

Anwenderzufriedenheit mit einem Krankenhausinformationssystem – Erste Ergebnisse. In: Hasman A., eds. Medical Infobahn for Europe – Proceedings of MIE2000 and GMDS2000. Amsterdam: IOS Press; 2000: 518-22. 16. Pruemper J. Software-Evaluation Based upon ISO 9241 Part 10. Lect Notes Comput Sc 1993; 733: 255. 17. SigG 2001. Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations. Bundesgesetzblatt Teil I 22: 876-84. 18. ENV 13729. Health informatics – Secure user identification for healthcare strong authentication using microprocessor cards. European Committee for Standardization TC 251. 1999. 19. HPC-D v. 1.1. German Health Professional Card – Spezification Physician Version 1.1. Gemeinsame AG der Kassenärztlichen Bundesvereinigung und der Bundesärztekammer. 1999. 20. Rivest R, Shamir A, Adleman L. A method for obtaining digital signatures and public key cryptosystems. Commun ACM 1978; 21 (2).


21. ISO/IEC 14888-3. Information technology – Security techniques – Digital signatures with appendix – Part 3: Certificate-based mechanisms. International Organization for Standardization JTC 1/SC 27. 1999. 22. ISO/IEC 10118-3. Information technology – Security techniques – Hash-functions – Part 3: Dedicated hash-functions. International Organization for Standardization JTC 1/SC 27. 1998. 23. NIST FIPS Publication 180-1. Secure Hash Standard (SHS-1). National Institute of Standards and Technology. 1995. 24. PKCS#7. Cryptographic Message Syntax Standard. Public Key Cryptography Standards. RSA Laboratories. 1993. 25. RFC 2251. Lightweight Directory Access Protocol (v3). Network Working Group. 1997. 26. RFC 2560. Online Certificate Status Protocol – OCSP. X.509 Internet Public Key Infrastructure. Network Working Group. 1999. 27. XML Signature. Syntax and Processing W3C Candidate Recommendation 19-April-2001. World Wide Web Consortium. 2001. 28. DICOM Supplement 41. Digital Imaging and Communications in Medicine (DICOM)

Digital Signatures. NEMA Standards Publication PS 3. National Electric Manufacturers Association 2001. 29. Winter A, Haux R. A Three Level graph-based Model for Management of Computer-Supported Hospital Information Systems. Methods Inf Med 1995; 34 (4): 378-96.

Correspondence to: Dr. Ralf Brandner Institute for Medical Biometry and Informatics Department of Medical Informatics University of Heidelberg Im Neuenheimer Feld 400 Germany E-Mail: [email protected]