PATIENT
AUTHENTI
CATION
SYSTEM
Technical
Specification
s Document
Version
1.1
Prepared By:
Technical Working Group
Created On:
8
th
July
2012
T
ABLE OF
C
ONTENTS
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
2
of
㈵
REVISION HISTORY
................................
................................
................................
................................
..........
3
1.
INTRODUCTION
................................
................................
................................
................................
.........
4
1.1.
P
URPOSE OF
T
HIS
D
OCUMENT
................................
................................
................................
.................
4
1.2.
S
COPE OF
T
HIS
D
OCUMEN
T
................................
................................
................................
.....................
4
2.
OVERALL DESCRIPTION
................................
................................
................................
.........................
5
2.1.
P
ROJECT
P
ERSPECTIVE
................................
................................
................................
............................
5
2.2.
P
RO
JECT
S
TAKEHOLDERS
................................
................................
................................
........................
5
2.3.
A
SSUMPTIONS AND
C
ONSTRAINTS
................................
................................
................................
...........
5
2.4.
O
UT OF
S
COPE
................................
................................
................................
................................
.........
6
3.
PROPOSED SOLUTION
................................
................................
................................
............................
8
3.1.
H
IGH
L
EVEL
S
OLUTION
A
RCHITECTURE
................................
................................
................................
...
8
3.2.
A
PPLICATIONS
R
EQUIREMENTS
................................
................................
................................
................
8
3.2.1.
HAAD Gateway (Web server)
................................
................................
................................
............
8
3.2.2.
Client Side Application
................................
................................
................................
.......................
8
3.2.3.
Audit Appl
ication
................................
................................
................................
................................
..
9
3.3.
I
NFRASTRUCTURE
R
EQUIREMENTS
................................
................................
................................
........
12
3.4.
S
UPPORT
&
M
AINTENANCE
................................
................................
................................
....................
13
4.
RISKS
................................
................................
................................
................................
.........................
14
5.
GLOSSARY
................................
................................
................................
................................
................
15
6.
APPENDIX
................................
................................
................................
................................
..................
16
6.1.
P
ATIE
NT
A
UTHENTICATION
W
EB
S
ERVICE
(P
ROPOSED
)
................................
................................
.......
16
6.1.1.
Service Header
................................
................................
................................
................................
....
16
6.2.
A
UDIT
Q
UERY
W
EB
S
ERVICE
(P
ROPOSED
)
................................
................................
...........................
16
6.2.1.
Service Header
................................
................................
................................
................................
....
17
6.3.
V
ALIDATION
G
ATEWAY
:
B
ENCHMARK
T
ESTING
A
NALYSIS
................................
................................
.....
17
6.3.1.
VG with local secure messaging
................................
................................
................................
....
17
6.3.2.
VG with remote secure messaging
................................
................................
................................
20
7.
REVIEW SIGN OFFS
................................
................................
................................
................................
.
23
8. REVIEW SIGN OFFS
(CONT.)
................................
................................
................................
.....................
25
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
3
of
㈵
Revision History
Date
Version
Description
Author
22 May 2012
0.1
Created
MOU
Technical
Working Group
30 May 2012
0.1
Updated
Applications Requir
ements,
Database Requirements,
Infrastructure Requirements
MOU
Technical
Working Group
31 May 2012
0.1
Updated Web Service Specifications
MOU
Technical
Working Group
7
th
June 2012
0.1
Updated High Level Solution
Architecture, Infrastructure
Requirements
, and Estimated Costs
MOU
Technical
Working Group
20
th
June 2012
0.1
Updated High Level Solution
Architecture, Infrastructure
Requirements, Estimated Costs
, and
Assumptions
MOU
Technical
Working Group
26
th
June 2012
1.0
Updated Risks and Assumptions
MOU
Technical
Working Group
1
st
July 2012
1.1
Updated Client Side Application,
Patient Authentication Web Service
,
and Risks
MOU
Technical
Working Group
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
4
of
㈵
1.
Introduction
1.1.
Purpose of This Document
This
document describes the
Technical
Specifications
of
Patie
nt Authentication Project
as per the
mandate of the Emirates ID MOU Steering Committee to implement and integrate
EID
within the
healthcare sector under the “Cooperation Agreement regarding ID uniform usage in Abu Dhabi
healthcare sector” dated 14 4 2011.
1.2.
Scope of This Document
This document stipulates the
Technical
Requirements for the
Patient Authentication Project
. It
describes the
technical architecture in terms of application, infrastructure &
database. Moreover, it also
entails the licensing & cos
ting details.
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
5
of
㈵
2.
Overall description
2.1.
Project
Perspective
As per the mandate of the Emirates ID MOU Steering Committee to implement and integrate EID within
the healthcare sector under the “Cooperation Agreement regarding ID uniform usage in Abu Dhabi
healthc
are sector” dated 14 4 2011, the
Patient Authentication Project
is a joint initiative undertaken by
the MOU Steering Committee to utilize the “coding abilities” of the EID card to raise the e
-
security level of
transactions where this card is used. Impleme
nting mutual authentication in healthcare is the highest
priority and delivers against a number of initiatives simultaneously.
There are no current business processes for electronic authentication of patients via EID integration
across the four entities.
Completion of patient identity is by visual inspection of the photo and
demographic information printed on the EID card,
when provided by the patient at the point of registration.
The EID number is recorded on e
-
claims when submitted to HAAD and Payers via
the e
-
claims process.
Otherwise, a code value for “Reason for no EID number” is entered on the e
-
claim as per HAAD Data
Standards.
The project will enable a technology based “Authentication System” and “Authentication Log” via EID
integration for electro
nic authentication of patient’s identity during encounters with health care providers.
The project aims to improve business processes that include completion of patient identification using
existing technology and available on the EID card, recording of e
vents to a secured log within a secured
Health Cloud and integration via standard application to provide EID data to the End User Applications.
The Authentication Log can then be used for authentication of events by authorized users, such as the
use case
for integrating mutual authentication with e
-
claims.
The EID number will continue to be recorded on e
-
claims when submitted to HAAD and Payers via the e
-
claims process. Otherwise, a code value for “Reason for no EID number” is entered on the e
-
claim as per
HAAD Data Standards.
2.2.
Project
Stakeholders
The following comprises the internal and external
stakeholders whose requirements are
represented
by this document:
S.
No.
Stakeholders
1.
Emirates Identity Authority “EID
A
”
2.
National Health Insurance Comp
any
-
“DAMAN” PJSC
3.
Abu Dhabi Health Services Company “SEHA”
PJSC
4.
Health Authority
-
Abu Dhabi “HAAD”
2.3.
Assumptions and
Constraints
Following are the assumptions and constraints in the project, but not limited to:
S. No.
Assumptions
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
6
of
㈵
1.
Data on EID
card is assumed to be always correct as Healthcare Entities have no
means of verifying it.
2.
EIDA
Validation
Gateway
will entertain the required number of hits.
3.
EIDA
Validation
G
ateway will be connected with HSM.
4.
Currently
EIDA
Validation
Gateway
can
respond to only 200 requests
simultaneously.
5.
Fingerprint template stored in the ID card is about 504
Byte,
the captured image
from sensor size is
100KB and
the image converted to template before sending is
1KB.
6.
ADNet connectivity should be available.
7.
Integration with the Validation Gatew
ay is done using Java Applet or
ActiveX at
the client, logically speaking the
Applet or ActiveX
communicate directly with the
Validation
Gateway
, through a reverse proxy server
.
8.
SDK
may not be required
as VG will
facilitate all the requirements or needs.
9.
HAAD data center
will be under
the Tier
IV
design
, and
therefore
it has not been
added up in the estimated solution cost.
10.
Any changes in the EIDA Validation Gateway will always have a
backward
compatibility
wit
h proper change control mechanism.
11.
N
o record will be registered in Audit DB, if the EID card is damaged or cannot be
read.
S. No.
Constraints
1.
Regarding
Validation
Gateway, t
he
recommended
server
code is Java
and so the
solution should
be built usi
ng Java technology on the server side
.
2.
2.4.
Out of Scope
1.
In light of new development leading to availability of VG,
HSM requirements and analyses are
being
considered as
out of scope.
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
7
of
㈵
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
8
of
㈵
3.
Proposed
Solution
3.1.
High Level Solution Architecture
3.2.
Appl
ication
s
Requirements
3.2.1.
HAAD
Gateway
(W
eb server)
This component would act as gateway for all public and private providers for authentication and querying.
Key tasks would include:
Control and manage the connection between the Client and EIDA Validation G
ateway.
Save the required information in the Audit database during the whole transaction whenever it
’
s
applicable.
The
Webserver
should save the fields in the Audit database.
(Please refer to Secti
on 6
.2: Audit
Query Web Service)
3.2.2.
Client
Side A
pplication
Th
e vendor should work on the Service Oriented Architecture
in order to build the solution that is not
only
based on
currently known demands, but should also be able to respond to new opportunities or
changes.
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
9
of
㈵
EIDA’s toolkit and documentation is available to
providers in order to integrate
their applications
.
EIDA extended support on tools and ADSIC’s experience to achieve integration with EIDA card.
SEHA would develop client specific framework with EIDA however below is high level diagram
:
3.2.3.
Audit Application
This would provide capab
ility to search HAAD data store.
3.2.3.1.
Data
base Requirements
T
RANSACTION
T
ABLE
(P
ROPOSED
)
Authentication Transaction
S.
No.
Field
Field
type
Mandatory/
Optional
Lengt
h
Validation
Additional Info
1.
Unique transaction
id
Number
Mandatory
Reference number for
indexing
2.
EID Number
Text
Mandatory
The definition of EID Number
is according to the
Cooperation Agreement
regarding ID uniform usage in
Abu Dha
bi healthcare sector
(MOU 2011; page 3)
3.
Authentication Date
Datetime
Mandatory
Only date
mm/dd/yyy
y
Authentication Date
-
Time
should be analogous to
HAAD's
Transaction Date definition
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
of
㈵
4.
Authentication Time
Datetime
Mandatory
Only time
24 hours
forma
t
Authentication Date
-
Time
should be analogous to
HAAD's Transaction Date
definition
5.
Authentication
Location
Text
Mandatory
Authentication Location
Facility ID is the HAAD Facility
License number. There needs
to be a mechanism to link
devices to a Fa
cility License
number.
6.
Authentication type
Text
(
Dropbox
)
Mandatory
Values
from the
master
"AUTHEN
TICATION
TYPES"
-
Biometric + Card Match is a
Match on all the components
of Person (i.e. Biometric),
Data, Card, Card Reader and
HSM Server
-
Card Only i
s a Match on
Data, Card, Card Reader and
HSM Server
7.
Authentication
Result
Text
(
Dropbox
)
Mandatory
Values
from the
master
"AUTHEN
TICATION
RESULT"
Values Pass or Fail
8.
Causes of
authentication failure
Text
(
Dropbox
)
Optional
Values
from the
master
"C
AUSES
OF
AUTHENTI
CATION
FAILURE"
9.
Reasons
authentication not
completed
Text
(
Dropbox
)
Optional
M
ASTER
T
ABLES
(P
ROPOSED
)
Causes of authentication failure
S.
No.
Field
Field
type
Mandatory/
Optional
Length
Validation
Additional Info
1.
Cause of
Authentication failure
code
Text
Mandatory
Unique value
2.
Cause of
Authentication failure
desc
ription
Text
Mandatory
For example : Reader
Device Failure
3.
Cause of
Authentication failure
definition
Text
Mandatory
Reasons for authentication
not completed
S.
No.
Field
Field
type
Mandatory/
Optional
Length
Validation
Additional Info
1.
Reason
authentication not
completed code
Text
Mandatory
Unique value
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄱ
of
㈵
2.
Reason
authentication not
completed
desc
ription
For example : Patient
Refusal to A
uthenticate
3.
Reason
authentication not
completed definition
Text
Mandatory
Authentication types
S.
No.
Field
Field
type
Mandatory/
Optional
Length
Validation
Additional Info
1.
Authentication type
code
Text
Mandatory
Unique value
2.
Authentic
ation type
desc
ription
Text
Mandatory
For example : Biometric +
Card Match
3.
Authentication
definition
Text
Mandatory
Authentication results
S.
No.
Field
Field
type
Mandatory/
Optional
Length
Validation
Additional Info
1.
Authentication resul
t
code
Text
Mandatory
Unique value
2.
Authentication result
desc
ription
Text
Mandatory
For example : Pass and Fail
3.
Authentication result
definition
Text
Mandatory
M
ASTER
T
ABLE
V
ALUES
(P
ROPOSED
)
Cause of authentication failure values
S.
No
.
Values
Definition
1.
Biometric Mismatch
Person Biometric and EID Card Biometric do not
match
2.
No Fingerprint on card
Person Biometric is not stored on EID Card.
Reasons Authentication not completed values
S.
No.
Values
Definition
1.
Patient Refus
al to Authenticate
Patient unwilling to provide EID card or complete the
authentication process
2.
System Down
Internal/External application, system or components
down and not available to complete the authentication
process.
3.
Data Component Issues
Any dat
a related component that prevents End User
from completing the authentication process.
Authentication type values
S.
Values
Definition
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄲ
of
㈵
No.
1.
Biometric + Card Match
Biometric + Card Match is a match on all the
components of Person (i.e. Biom
etri
c), Data, Card,
Card Reader, and VG
2.
Card Only
Card Only is a match on Data, Card, Card Reader and
HSM Server.
Authentication results values
S.
No.
Values
Definition
1.
Pass
Authentication Type Criteria Met
2.
Fail
Authentication Type Criteria Fai
led
3.3.
I
nfrastructure
Requirements
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄳ
of
㈵
3.4.
S
upport & Maintenance
The vendor should propose a system which should provide
24x7 support and maintenance
.
The vendor should design a system with SLA of
5 seconds response time
from client request to
respon
d
provided all technical requirements needed to enable these transactions are in place.
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄴ
of
㈵
4.
Risks
S. No.
Risk
Probabilit
y
Impact
Mitigation
1.
We don’t have any testing
results/benchmark for more than
200
concurrent
requests to
Validation
Gateway
.
0.7
High
The vendor
should conduct a
Performance Testing with around
500
-
700 concurrent requests prior to
Go LIVE.
2.
Currently there is no Disaster
recovery
(for EIDA VG)
, only high
availability option.
0.5
High
N/A.
Note:
TWG would like Steering
Committee to adv
ice further over it.
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄵ
of
㈵
5.
Glossary
Term/Acronym
Definition
EID Card
Identity Card issue
d
by Emirates Identity Authorit
y
to all citizens
and residents of UAE
"Trusted Third Party"
Trusted Third Party whom HAAD, EID, SEHA, Daman have
entrusted to host and op
erate the Health Cloud Systems
Health Cloud
Private for Abu Dhabi Health Sector computing cloud that
provides “trusted” secure environment for maintaining shared
information systems accessible to licensed Healthcare Entities
Authentication System
A stan
dard system that integrates with Provider information
systems to enable EID authentication of patients at the point of
care and provide Provider systems with the authentication result
as well as the data stored on EID card to be used in Patient
registratio
n process
Authentication Log
Information systems that maintains a log of authentication
events and controls access to this information and provides
reports through standard web services
HSM
Hardware Security Module
VG
Validation Gateway
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄶ
of
㈵
6.
Appendix
6.1.
Patient Authentication Web Service
(Proposed)
Service Name
HAAD_PATIENT_AUTHENTICATION
Service Type
Interactive, on
-
demand
Data Owner
EIDA
Service Provider
HAAD
Service Consumer
SEHA & Facilities
Input Parameters
Is_Patient_
Authentica
te
(EID Number
, Fingerprint Template,
Captured Image
)
Output Parameters
Service output (0
-
success,1
-
Failure)
Sample Request
6.1.1.
Service Header
Field Name
Type
Sample Data
Mand
atory
Code
list
EID Number
Varchar2(15)
999
-
9999
-
999999
-
9
Y
-
Authorized
Nu
mber
0 (Success)/1(Failure)
Y
-
Transaction Date
&
Time
DATE
System Date
Y
-
Reason for failure
Varchar2(150)
Xyz.
Y
Y
6.2.
Audit Query Web Service
(Proposed)
Service Name
HAAD_PATIENT_AU
DIT_QUERY
Service Type
Interactive, on
-
demand
Data Owner
HAAD
Serv
ice Provider
HAAD
Service Consumer
SEHA, Facilities & Insurance Companies
Input Parameters
Patient_
Au
dit_Query(
Batch No,
EID Number, Fa
c
ility ID,
Encounter Date
)
Output Parameters
Service output (
Batch No,
EID Number, Fa
c
ility ID,
Authentication Result,
Authentication Date, Authentication
Failure
Reason
)
Sample Request
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄷ
of
㈵
6.2.1.
Service Header
Field Name
Type
Sample Data
Mand
atory
Code
list
Batch
Number
Varchar2(15)
AAA999
Y
-
EID Number
Varchar2(15)
999
-
9999
-
999999
-
9
Y
-
Facility ID
Varchar2(15
)
MF9999
Y
-
Encounter/Authentication
Date
DATE
Sysdate
Y
-
Authentication Result
Number
0 (Success)/1(Failure)
-
Authentication Failure
Reason
Varchar2(150
)
Xyz.
-
-
6.3.
Validation
Gateway: Benchmark
Testing
Analysis
This
section
documents a benchmark
analysis conducted by Lo
gica on the Validation Gateway
(VG
). This
study has been requested by EIDA as a means to establish that the hardware that will be procured by
Logica for the PKI & FIM project infrastructure will be sufficient enough to cope with the
requirements
(throughput) received from ADSIC.
The main results of the benchmark testing are as follow:
Concurrent users
Total transactions
in 1 minute
Average
VG
transactions/sec
No.
of errors
100
119071
658
0
200
128470
712
0
6.3.1.
VG with
local
se
cure messaging
In this case, the VG uses a Secure Messaging (SM) module locally on the same VG server.
6.3.1.1.
Benchmark case 1
100
concurrent users executed repeatedly VG requests for 1 minute. Results were as follow:
a)
Total number of VG transactions: 119071 Tra
nsactions
b)
Average Throughput = 658 VG transactions/sec
c)
Errors = 0
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄸ
of
㈵
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
ㄹ
of
㈵
6.3.1.2.
Benchmark case 2
200
concurrent users executed repeatedly VG requests for 1 minute. Results were as follow:
a)
Total number of VG transactions: 128470 Transactions
b)
Average Throughput = 71
2 VG transactions/sec
c)
Errors = 0
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
㈰
of
㈵
6.3.2.
VG with
remote
secure messaging
In this case, the VG uses a Secure Messaging (SM) module deployed on a separate physical server.
6.3.2.1.
Benchmark case 1
100
concurrent users executed repeatedly VG requests for 1 minute. R
esults were as follow:
1.
Total number of VG transactions: 21552 Transactions
2.
Average Throughput = 120 VG transactions/sec
3.
Errors = 0
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
㈱
of
㈵
6.3.2.2.
Benchmark case 2
200
concurrent users executed repeatedly VG requests for 1 minute. Results were as follow:
a)
Total numb
er of VG transactions: 18062 Transactions
b)
Average Throughput = 100 VG transactions/sec
c)
Errors = 0.34
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
㈲
of
㈵
6.3.2.3.
Benchmark case 3
120
concurrent users executed repeatedly VG requests for 40 minutes. Results were as follow:
d)
Total number of VG transactions: 1303
244 Transactions
e)
Average Throughput = 72 VG transactions/sec
f)
Errors = 0.16
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
㈳
of
㈵
7.
Review Sign offs
We
have reviewed the above stated
technical specifications
of
Patient Authentication Project
.
We
hereby grant
approval to proceed to develop the system.
We
u
nderstand that further changes will likely result in a delay in the final delivery date.
Name:
_______________________________
D
esignation
:
__________
_________
_____________
Department/Section:
_________
______
___
___
___________
Health Au
thority
-
Abu Dhabi
“HAAD”
:
________
______
____
___
___________
_______________
___
____________________
Signature:
Date:
_____________
___
_________________
Name:
________________________________
D
esignation
:
_
__
_
_
_______
_________
____________
_
Department/Section:
___
_
_
_
_____
______
___
___
___________
A
bu Dhabi Health Services Co. “SEHA” P.J.S.C.
:
______
__
_
______
____
___
_____
_
______
_______________
___
____________________
Signature:
Date:
_____________
___
_________________
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
㈴
of
㈵
Health Authority Abu Dhabi
Technical Specification
Document
Confidential Document
–
Ve爠ㄮ1
偡来
㈵
of
㈵
8.
Review Sign
offs (cont.)
We
have reviewed the above stated
technical specifications
of
Patient Authentication Project
.
We
hereby grant
approval to proceed to develop the system.
We
understand that further changes will likely result in a delay in the final delivery
date.
Name:
_________________________________
D
esignation
:
________
_
__
_________
_____________
Department/Section
:
_________
______
___
___
____
_
_______
Emirates Identity Authority “EIDA”
:
________
______
____
___
____
_
_______
_____________
__
___
____________________
Signature:
Date:
_____________
___
_________________
Name:
_________________________________
D
esignation
:
__________
_________
________
_
_____
Department/Section
:
_________
______
___
___
_______
_
____
National Health I
nsurance Co.
-
Daman P.J. S. C
:
________
______
____
___
________
_
___
_______________
___
____________________
Signature:
Date:
_____________
___
_________________
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment