UXP as the foundation for securehealthcare-related data exchangeWhite PaperVersion 1.115.04.2020

Table of Contents1. Unified eXchange Platform 1

2. Digital healthcare services in Estonia 2

3. Governance in healthcare in Estonia 3

4. Case study from Estonia: e-Ambulance 5

5. International references in healthcare and inheritance record management 7

5.1. Together for PPE Readiness, United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7

5.2. Inheritance record management, Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  9

6. References 10

1. Unified eXchange PlatformThe Cybernetica UXP® (Unified eXchange Platform) is a technology that enables securepeer-to-peer data exchange over encrypted and mutually authenticated channels. It is basedon a decentralized architecture where each peer has an information system that will beconnected with other peers’ systems.

UXP is targeted at situations where several parties wish to establish a standardizedcommunication channel that provides confidentiality, strong authentication and long-termproof value of the relayed messages. The model case for this situation is a governmentaldata exchange infrastructure. Here the communicating parties are governmental agencies,private companies and citizens who exchange data with each other by calling services(known as service-oriented architecture).

UXP is built and maintained by Cybernetica. For almost 20 years Cybernetica has beenheavily involved in creating the world-renowned Estonian e-Government framework, mostlyby being the key developer of its foundation the data exchange layer X-Road. According tothe World Bank, it is that very data exchange layer that allowed Estonia to become a trulydigital society. Based on its involvement in secure government data exchange Cyberneticalaunched improved software in 2015 and released it as

UXP for international distribution. UXP-based solutions have by now been implementedacross four continents to enable running online government services for 35 million peoplefrom different countries and cultures.

"The success of the Estonian e-government model has inspired us tofurther develop the e-government system in Benin and redefine howwe communicate with our citizens, and how we build businessopportunities. The launch of the secure data exchange framework isone step in our digital transformation process, and it will not be thelast."

Maximilien Kpodjedo, Director of National Information Systemsand Services Agency (ASSI) of Benin Republic about their workwith UXP (ERR, 2018)

The core of UXP consists of the Registry, Security Servers, Monitoring and Trust Servicecomponents with the option to add additional functionalities via the optional components. TheSecurity Servers are of critical importance, as they intermediate the exchanged data servicecalls between communicating parties e.g. the different members of the UXP data exchangeframework. Security Servers are operated by the members, while the framework itself ismanaged and maintained by a Governing Authority via the Registry, Monitoring and Trustservices.

The Unified eXchange Platform has proven itself as a reliable, secure and easily deployabletechnology in a large variety of international contexts and can easily be applied in healthcare-related use-cases as well.

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

1 / 10

2. Digital healthcare services in EstoniaEstonia is not only a champion in e-Government but is also a frontrunner in terms ofdigitization in healthcare. According to the Bertelsmann Digital Health Index Estonia isscoring highest in all three different surveyed categories namely Policy Activity, DigitalReadiness and Actual Use of Data, and leaves Canada and Denmark on places two andthree respectively (Bertelsmann, 2019). It’s not only neutral observers that are consideringEstonia a best practice — the majority of healthcare professionals from around Europeconsider Estonia as the role model for eHealth Innovation in Europe according to HIMSSAnalytics’ Annual European Health Survey (HIMSS, 2019).

Just like in the field of e-Government, it is the continuous effort and focus on digitization andstrong foundations that allow Estonia to play this pathfinding role. Since the early beginningsCybernetica has played a key role in this field by developing crucial baseline technology andproviding consultation and independent research in the fields of data interoperability anddigital identity. The underlying secure data exchange technology (available as Cybernetica’sproduct UXP), for which Cybernetica has been the driving developer for almost 20 years, isthe key facilitator for a wide-ranging array of eHealth services such as e-Prescription, e-Referral, e-Ambulance, Health Declaration and others.

The digitization in healthcare took an early start in the 90s, when some healthcare providersintroduced Electronical Medical Records on their own initiatives. Digitization was boostedwhen pharmacies needed to submit reimbursement claims electronically to the HealthInsurance Fund in 2002; a transformation which was fully achieved by 2005. The NationalElectronic Health Record System was introduced in 2008 and the information systems ofGeneral Practitioners and hospitals were gradually integrated into Electronic HealthcareInformation Systems, culminating with the issuance of digital prescriptions in 2010 (Metsalliket al, 2018, p.2-3).

Today, 99% of all issued prescriptions are issued electronically, all patients can get onlineaccess to their medical data by logging in to their personal health portal and can activelymanage their data by declaring intentions and preferences. Even more importantly, thanks totimestamping, logging mechanisms and digital identity, patients can see who has had accessto their medical data and accordingly also hold them accountable (e-Estonia, 2020).

To speak in total numbers, more than 10 000 healthcare professionals use the system on adaily basis. During one month in 2017, more than 30 million medical documents weremanaged by the system. In 2018 more than 1.2 million queries about healthcare related datawere done by patients and 1.6 million queries by healthcare professional on a monthly basis(Metsallik et al, 2018, p.3). There has been a strong uptake in the numbers since theintroduction of the nation-wide system in 2008 all the while remaining efficient: Estoniaspends 6% of its GDP on healthcare and is far below the OECD average of 9.5% (OECD,2020). It still maintains the strongest gains in life expectancy of all EU countries (Habicht etal, 2018, p. xxiii).

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

2 / 10

3. Governance in healthcare in EstoniaThe crucial stakeholder for governance of information technology in healthcare is the Healthand Welfare Information System Centre (TEHIK), which was established in 2017 toconsolidate the roles and responsibilities of the IT Department of the Ministry of Social Affairsand the Estonian eHealth Foundation. Before this consolidation the eHealth Foundation wasthe crucial stakeholder for development, financing and management of the e-Health system.The foundation was established shortly after the Ministry of Social Affairs in 2005 introducedfour main projects for the e-health system: electronic health records, digital images, digitalregistration and digital prescription. The Board of the eHealth Foundation brought together allmajor players in healthcare in Estonia and allowed for clear governance of the e-healthsystem. Essential to its success was also clear legislation, manifested by the Health CareServices Organization Act and the Ministry of Social Affairs regulation of the HealthInformation System (Tiik, 2012, p. 48).

Most importantly, the ambition of the Estonian e-Health system is to develop patient-friendly,efficient and high-quality healthcare services. It aims to enable physicians to get access totime-critical medical information and to decrease the bureaucracy around the daily routines ofdoctors. As healthcare services are however provided by decentralized actors, it’s importantto bring all these actors together. Metsallik et al. explain that there are three layers of theEstonian eHealth system: the data layer, the data exchange layer and the application layer.The data layer consists of data repositories in control of specific data. The application layer ismanaged by different parties providing services. Centrally the data exchange layer allowsdata from repositories to be consumed by parties in the application layer (2018, p. 2).

The data exchange layer is the interoperability backbone of the Estonian e-State. The e-Health system is neither centralized nor separate from the state’s e-State system, butactually well integrated into the full decentralized framework for digital administration. The e-Health System is thus “a federated system of mutually dependent yet integrated healthcare-related software services” (ibid, p. 4).

In healthcare, the secure data exchange layer is used by public and private entities that wish

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

3 / 10

to make use of a standardized communication channel providing confidentiality, strongauthentication and long-term proof value of the relayed messages. To give an example: thecentral component of the e-Health System, the EHR, makes use of the layer for exchangingdata based on the widely accepted international standards HL7 CDA, DICOM, LOINC etc(ibid., p. 7). The exchange of data itself works via security servers that allow for the data tobe accessed from another security server over the public internet. The transfer of data isconfidential, encrypted and respectively digitally signed, authenticated, logged andtimestamped. This guarantees a high level of security and transparency as log files haveevidentiary value and can be audited.

Apart from the data exchange layer, the second component that has critical importance andwhere Cybernetica has left its mark, is digital identity. Thanks to the digital identity based ona unique identifier, individuals’ records can be accessed by doctors, who based on the samestandard need to verify their identity and thus leave traces in the accessed records. Also, thepatient gets access to medical records via the Public Key Infrastructure (PKI), that is basedon the unique identifier and physical security devices such as the state-issued ID Card, amobile SIM Card (mobile ID) or the application-based smart ID (based on Cybernetica’sSplitKey technology).

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

4 / 10

4. Case study from Estonia: e-AmbulanceOne of the great advantages of a distributed, yet well-connected architecture, is that differentkinds of datasets and systems can be combined to build user-friendly and efficient e-services.

Challenge

The e-Ambulance service was introduced to provide ambulances heading to patients inemergencies with time-critical data such as allergies, blood type etc.

Organisation

Participating sites (managing information system) are:

• Date Exchange Layer Members:

◦ Hospitals (managing Hospital Information Systems)

◦ Health and Welfare Information System Centre (managing Patient Portal, EHR,Ambulance Workstations)

◦ Rescue Board

• Governing Authority (State Information System Authority of the Republic of Estonia)

Function

1. A patient calls the emergency services, because he/she needs help.

2. The Rescue Board responds and dispatches an ambulance.

3. Based on the patient’s personal identifier the ambulance gets access to time-critical datafrom the Electronic Health Record (EHR).

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

5 / 10

4. The ambulance examines the patient.

5. The ambulance submits emergency epicrisis to the EHR (via a Mobile Workstation).

6. The Hospital communicating with the ambulance already gets access to the emergencyand all other of the patient’s epicrisis’ in order to treat the patient accordingly.

7. Patient arrives at the hospital.

8. Hospital personnel treats the patient according to the info from the EHR.

9. Hospital composes hospital epicrisis about the treatment and sends it to the EHR.

10. The patient eventually is sent home after successful treatment.

11. The patient at home can review what has been written in the epicrisis’ and get check thelogs of what doctor has had access to his/her medical data.

12. Additionally, the patient’s general practitioner can review this epicrisis in following medicaltreatments.

Assessment

The e-Ambulance service illustrates very well how multiple, independent sites can createextensive added value by collaborating via a secure data exchange layer.

What’s crucial: Only eligible trusted parties get access to data that is previously defined viadata exchange layer services.

The obvious benefit: Faster and streamlined access to time-critical data that can save lives.

The icing on the cake: Every data transaction is logged and time-stamped. Transactionshave evidentiary value.

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

6 / 10

5. International references in healthcareand inheritance record management5.1. Together for PPE Readiness, United StatesSince 2019 Cybernetica has supported the Nashville-based Center for MedicalInteroperability (C4MI), in developing a monitoring and surveillance system for personalprotective equipment (PPE) with the Centers for Disease Control and Prevention (CDC), thepublic health agency of the United States of America. The project is a public-privatepartnership called TOGETHER for PPE Readiness and it allows for trusted data exchangebetween entities in order to improve the ecosystem’s ability to manage PPE inventory(masks, gloves, gowns, and other protective equipment).

Pandemic illnesses and large public health emergencies can lead to shortages of PPE asmanufacturers need time to increase production to meet increased demand. TOGETHER forPPE Readiness leverages C4MI’s Trust Platform that utilizes Cybernetica UXP secure dataexchange technology to share data regionally and nationally in order to better plan foremergencies, inform optimal inventories and enable PPE inventory comparisons amongparticipating members, such as hospitals, coalitions and networks, for better emergencyprepared-ness.

The Center for Medical Interoperability is a cooperative research and development lab led byhealth systems to simplify and advance data sharing among medical technologies and sys-tems. The Centers for Disease Control and Prevention (CDC) is the public health agency ofthe United States. The CDC is a United States federal agency under the Department ofHealth and Human Services and is headquartered in Atlanta, Georgia.

Challenge

How can healthcare providers and governing agencies get reliable and real-time data aboutPPE stock for fighting pandemics?

Organisation

Using UXP as the trust data network in the TOGETHER for PPE Readiness context involvesthe following agencies (UXP Members):

• Primary Sites:

◦ Hospitals and Health Systems (managing own PPE Databases and InformationSystem consisting of Inventory Management and PPE Dashboard)

• Secondary Sites:

◦ CDC, State Health Departments, Area stockpiles, Coalitions (managing PPEDashboard)

◦ Governing Authority

◦ C4MI

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

7 / 10

Function

Preconditions:

Primary Sites manage their own PPE Databases to keep track of inventory. GoverningAuthority adds and manages Primary and Secondary Sites as trusted parties to the dataexchange layer (UXP membership). Primary Sites define UXP Service, that otherparticipating sites (UXP Members) can sub-scribe to. Primary Sites decides what otherPrimary or Secondary Sites can subscribe to their UXP service providing access to their PPEdata.

Business Use Case:

1. Secondary Site using PPE extraction tool requests data from Primary Site A.

2. Primary Site A UXP Security Server checks whether Secondary Site is eligible to getaccess to that data.

3. Primary Site A UXP Security Server confirms and provides access to data.

4. Primary Site A Information Systems responds with requested PPE Data from their PPADatabase.

5. Secondary Site processes received information.

Assessment

The use of UXP in the TOGETHER context manifests how data sharing with trusted partiescan have a major impact for planning time-critical steps in fighting pandemics’ impact onsociety

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

8 / 10

What’s crucial: Data owners have full control over who has access to their PPE-data.

The obvious benefit: Faster and streamlined access to time-critical PPE data helps indecision-making.

The icing on the cake: Every data transaction is logged and time-stamped. Transactionshave evidentiary value.

Read more about the project on NPR, who’s reporting about TOGETHER here.

5.2. Inheritance record management, JapanCybernetica and Japan’s Sumitomo Mitsui Trust Bank (SMTB) work together on utilizingCybernetica’s UXP technology in trust banking across the wide array of services offered bySMTB, the largest trust bank in Asia.

The first phase of the collaboration assessed how UXP can be used to bring additional valueto the financial sector services and was completed with success. The second phase focuseson inheritance record management while also verifying compliance with Japaneseinformation security standards.

The designated use-case of UXP is in the modernization of SMTB’s business with processingconsignors’ last will and testament. UXP is used to digitize the whole process and toexchange related data between relevant parties including SMTB.

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

9 / 10

6. ReferencesBertelsmann, 2019, Smart Health Systems, Digital Health Index, via:https://www.bertelsmann-stiftung.de/en/our-projects/the-digital-patient/projektthemen/smarthealthsystems/, 24.01.2020.

e-Estonia, 2020: Healthcare, via: https://e-estonia.com/solutions/healthcare/, 27.01.2020.

ERR, 2018: Benin to develop data exchange platform based on Estonian model, via:https://news.err.ee/882616/benin-to-develop-data-exchange-platform-based-on-estonian-model, 09.03.2020.

Habicht, T., Reinap, M., Kasekamp, K., Sikkut, R., Aaben, L. and Ginneken, E., 2018.Estonia: health system review, via: https://apps.who.int/iris/bitstream/handle/10665/330201/1817-6127-eng.pdf, 24.01.2020.

HIMSS Analytics, eHealth Trendbarometer“Annual European eHealth Survey 2019",published November 2019, via: https://europe.himssanalytics.org/europe/ehealth-barometer/ehealth-trend-barometer-annual-european-ehealth-survey-2019, 24.01.2020.

Metsallik, J., Ross, P., Draheim, D. and Piho, G., 2018, Ten Years of the e-Health System inEstonia, via: https://pdfs.semanticscholar.org/03e0/444519ee3e8bf85bae21f6ed430b719aea3e.pdf, 24.01.2020.

OECD (2020), Health spending (indicator). doi: 10.1787/8643de7e-en, via:https://data.oecd.org/healthres/health-spending.htm, 24.01.2020.

Tiik, Madis., 2012. Access Rights and Organizational Management in Implementation ofEstonian Electronic Health Record System (Doctoral dissertation, thesis on mechanicalengineering) Tallinn Technical University Press.

UXP as the foundation for secure healthcare-related data exchange: White Paper 15.04.2020

1.1 

10 / 10