InterPARES Trust Case Study · 5/11/2017 · Document Control Version history Version Date By...

InterPARESTrustCaseStudy

Title and code: Model for Preservation of Trustworthiness of the

Digitally Signed, Timestamped and/or Sealed

Digital Records (TRUSTER Preservation Model)

(EU31) – Case Study 3

Document type: Case Study

Status: Final

Version: 1.4

Research domain: Control

Date submitted: 11 December 2016

Last update: 3 April 2017

Author: InterPARES Trust Project

Writers: Mats Stengård, Enigio Time AB

Hans Almgren, Enigio Time AB Hrvoje Stancic, University of Zagreb

Region Skåne

participants:

Sofie Idberg, Region Skåne Daniel Hedman, Region Skåne

Åsa K Nordström, Region Skåne Kerstin Belin, Region Skåne

Christian Jarnekrans, Region Skåne

Research team: Mats Stengård, Enigio Time AB

Hans Almgren, Enigio Time AB Hrvoje Stancic, University of Zagreb

ITRUSTEU31-CaseStudy3 January2017

InterPARESTrustProject 2

Document Control

Version history

Version Date By Version notes

0.9 11 Dec 2016 Mats Stengård, Hans Almgren

- First final internal draft

1.0 19 Dec 2016 Hrvoje Stancic - Case Study improvements

1.1 15 Jan 2017 Mats Stengård - Review and update from comments

- Update from Region Skåne answers in mail 19 Dec 2016

1.2 27 Jan 2017 Hrvoje Stancic - Final review

1.3 12 Mar 2017 Mats Stengård - Updates and corrections from comments by Region Skåne

1.4 3 Apr 2017 Mats Stengård - One correction on background RS e-Archive solution



TableofContents

Abstract.........................................................................................................................................................................4

A. Overview..............................................................................................................................................................5Casestudygoals....................................................................................................................................................5

B. StatementofMethodology...........................................................................................................................6

C. DescriptionofContext...................................................................................................................................7Provenancial..........................................................................................................................................................7

Legal...........................................................................................................................................................................7

Procedural...............................................................................................................................................................7Documentary.........................................................................................................................................................7

Technological.........................................................................................................................................................8D. OverallFindings...............................................................................................................................................9

MedicalRecords...................................................................................................................................................9

Tenders,Procurement&Suppliercontracts........................................................................................10Politicaldecisions&meetingminutes.....................................................................................................11

E. Conclusions&Recommendations.........................................................................................................12

Conclusions..........................................................................................................................................................12Recommendations............................................................................................................................................13



Abstract ThiscasestudyhasbeenconductedincooperationwithRegionSkånebetweenJune2016andNovember2016.ThemaingoalofthiscasestudyistoexaminetheRegion’suseofdigitalsignatures,thewayto archive digital signatures and if the research questions of InterPARES Trust EU31(TRUSTER)apply.The report summarises the current state of the prioritised and most important areasrelated to the case study goals. It can also function as a base for further cooperation orstudies.

ThestudyhighlightstheneedforacommonstrategyforRegionSkånewithregardstotheuseofdigitalsignaturesandacommonpolicyforarchivalproceduresrelatedtothose.ThecurrentsolutionsappeartobemorederivedfromthetechnicalcapabilitiesoftheusedITsystemsandnotfromspecificationsbasedonthebusinessandlegalrequirements.When proper digital signatures are created for the records, a proper strategy forpreservingthevalidityofdigitalsignaturesshouldalsobemade if technicallypossible. Ifthevaliditycanbepreservedwithoutunreasonablecostitwouldbestronglyadvised.



A. Overview ThiscasestudyhasbeenconductedincooperationwithRegionSkåne–thecountycounciloftheSkåneCountyofSwedenandtheRegionArchivebetweenJune2016andNovember2016).

The report uses part of the InterPARES case study report template but the scope of thestudyissmallerandthereforeseveralheadingsareexcluded.ThemaingoalofthiscasestudyistoexaminetheRegion’suseofdigitalsignatures,thewayto archive digital signatures and if the research questions of InterPARES Trust EU31(TRUSTER)apply.

NodetailedanalysisoftechnologyofalltypesofdigitalrecordswithintheRegionhasbeendone but the report summarises the current state of the prioritised andmost importantareasrelatedtothecasestudygoals.Itcouldalsofunctionasabaseforfurthercooperationorstudies.

Case study goals • To analyse the current use of signatures (physical and digital) in different

workflowsandtypeofrecordsatRegionSkåne.• Tounderstandtheperceivedvalueoftheneedforarchivingofthedigitalsignatures

and digitally signed records as well as the archiving of the validity of the digitalsignatures.

• Toknowifandhowthedigitalsignaturesarecurrentlyarchived.



B. Statement of Methodology ThestudywasconductedthroughanalysisoftheprovidedmaterialfromtheRegionaswellas through questions and discussions in several Skypemeetings andmail conversationswithRegionSkåneparticipants.Animportantcomponentforinformationgatheringwasahalf-dayworkshopheldatRegionSkånefacilitiesinMalmö,Sweden.

Input for most subsequent meetings and discussions were produced in the workshopwherematerialwasgatheredandstructuredfromthefollowingagenda.

1. Identificationofa. records/contenttypes/workflows

i. wheretimestamps/seals/signaturesexists/oughttoexist(bothphysical&digital)

b. generallegaldependencies2. Analysis&discussion

a. createdphysical/digitalb. appraisal,timehorizonc. anycurrentrecordswherevalidityneedstobeextended?

3. Challenges&risks4. Prioritisation

a. focusonmostimportantareasformoreanalysis5. Summary&planning

ParticipantsfromRegionSkåne:

• 2archivists,• 1lawyer,• 1informationmanager,• 1informationstrategist.



C. Description of Context

Provenancial RegionSkåneisthecountycounciloftheSkåneCountyofSweden.

Thepopulationofca.1250000isabout13%ofSweden’stotal.TheSkåneCountywas formed in1997by themergerof formerKristianstadCountyandMalmöhusCountyestablishedin1719.RegionSkånewasformedin1999bythemergingofthetwoadministrativecountycouncilsof theprovinceofSkåne;KristianstadCountyandMalmöhusCounty,whichwereestablishedin1863.

HealthcareisRegionSkåne’sdominantareaofactivity.Region Skåne is responsible for healthcare and public transport, business development,culture, infrastructure, social planning and environmental and climate-related issues inSkåne.

Legal Theseatof residence for theSkåneGovernor is the townofMalmö.TheheadquartersofSkåneRegionalCouncilisthetownofKristianstad.With34,000employees,RegionSkåneisoneofSweden’sbiggestemployers.

It is a self-governing administrative region, fundedby taxes, which is governed by aRegionalCouncilof149memberswhoaredirectlyelectedbytheinhabitantsofSkåne.TheRegionalCouncilmakesdecisionsregardingbudgetanddirection forRegionSkåne’svarious operations. Most decisions are based on suggestions made by the RegionalExecutiveCommittee,whichisappointedbytheCouncil.

Procedural The study discusses different workflows and procedures related to the handling ofelectronicrecordsbothactiveandarchivedwithintheRegionArchive.Aspecialfocushasbeenontheuseofdigitalsignaturesfordifferenttypesofrecordsandtheneedforarchivingofthedigitallysignedrecordsandthevalidityofdigitalsignatures.

To narrow the scope of the study we put focus on the most important and the largestvolumeofrecordsusingsignatures(prioritybyRegionSkåne)–medicalrecords,suppliercontractsandpoliticaldecisionsandmeetings.

Documentary RegionSkånekeepdocumentsaspertheArchivesAct,inordertorespectthepublic’srighttoaccesspublicdocuments.Theyalsolookaftertheneedsofresearch,ownoperations,andthelegalsystem.The Region Archive is part of the Archive Centre South (Arkivcentrum Syd)in Lund –Scandinavia’sbiggestarchivalinstitution.



RegionSkåneArchiveoperates in amixeddigital andanalogueenvironmentbuthas theambitiontomoveasmuchrecordsaspossibletodigitalstorage.Healthcareinformation,suchasmedicalrecords,constitutesalmost80%ofthearchive’smaterials.Buttherearealsominutesandotherdocumentsconcerningpoliticalprocesses,historyofthecountycouncil,blueprints,educationtranscripts,mapsetc.

Technological Complex ITportfolio, around1000 systems,100-150will be replacedby anewsystem,whichiscurrentlybeingspecified.Region Skåne archive and external consultants develop solutions for delivery betweenbusinessanddocumentmanagementssystemsande-archive.Recordsaredeliveredtothee-archive via own Region Skåne specific delivery specifications (submission informationpackage)tothee-Archive.

Thee-archivesystemisbuiltontheSLL(StockholmsLänsLandsting)platformwhichhasbeenupdatedandchangedin-housebyRegionSkåne.

e-Service card (RSID card)

TheRSID-cardisanimportanttechnicalcomponentusedforsecurityandidentificationatRegionSkåne.It isanelectronic identitycard(eIDcard) includingRegionSkåne’sservicecertificates(alsocalledaSITHScard).

ThecardistobeusedbyallemployeesforallidentificationwithinRegionSkåne.

ThecardsandservicecertificatesincreasesecuritysignificantlyduringlogintoITsystems.RS cards and its certificates are normally valid for 5 years for permanent employees.Temporaryemployeesreceivecardsofashorterduration.



D. Overall Findings Authorisations and signatures are used in many of the workflows and created records.Multipletypesofsignaturesareused;physicalsignatures(scanned),systemauthorisationsandalsoqualifieddigitalsignatures.

Signaturesareusedfor,amongothers:

• Medicalrecords,dentalcare,doctor’scertificates• Procurementandcontractswithsuppliers,constructionprojects• Powersofattorney,• Digitallysignede-mails,• Accounting/bookkeeping,employeeagreements• NDAs• etc.

TogetherwithRegionSkåneitwasdecidedthatthiscasestudyshouldfocusonthemostimportantandthelargestvolumeofrecordsusingsignatures:

1. Medicalrecords2. Procurementandsuppliercontract3. Officialpoliticaldecisionsandminutesofmeetings

Medical Records Medical records are the biggest record type created and handled by Region Skåne. Itconstitutesabout80%oftherecordsstoredintheRegionArchive.

Legal context

RecordkeepingandinformationmanagementwithinhealthcareinSwedenisregulatedbythe “PatientDataLaw” (PDL).Thepoints listedbeloware some important statements inthislawrelatedtothecasestudyquestions.

• Preservationat least10years,governmentcandecidethatcertaintypeofrecordsshouldbepreservedlongerthan10years.

• Strongauthenticationshouldbeusedforaccessingmedicalrecords.• The caregivermust ensure that there areprocedures for the signingof notes and

confirmationofactionsrelatingtopatientcareandtreatment.• Caregivers who are connected to a system for coherent records must decide on

commonproceduresforsigningandsecuringdata.

Requiredlegalpreservation,asseen,isatleast10yearsbutrecommendationsinSwedenfor medical records are to assume a strategy of “permanent retention”. Region Skåneappliesthisandthereisnoprocessfordispositionwithregardstothemedicalrecords.

No specific requirement on the “quality” of the digital signature from a technicalperspective is described within the law, only the statement of “strong authentication”.“Strongauthentication”isdefinedasarequirementthatidentityshouldbecontrolledinatleast twodifferentwaysbeforeaccess to records isgranted.The “RS-Card” identification



togetherwithapasswordfulfils therequirement for“strongauthentication”accordingtothedefinition.

Technological context

Mainly two different business systems are used today for creation ofmedical records –PMOisusedforprimarycare,Meliorisusedforspecialistcare.

BothsystemshavethecapacitytousetheRSID-Cardtechnologyforstrongauthenticationand digital signatures using HCC (Health Care Certificates). But currently it is not usedconsistentlyforbothorforalloperations.TologintoPMORSID-Cardauthorisationisrequired.Currentlythoughthedigitalsignaturecode from the card is notused for signing a journal because the login authorisedby thecard isconsideredassufficientauthorisation.Ontheotherhandforsigning, forexample,medicale-prescriptionsitisused.

Melior, like described, has the capacity to sign with the RS-Card but also have thepossibility to login with username and password. Both are used but username andpasswordismostcommon.WhenlogininwithRSID-cardthesigningcodeforthecardisusedforsigningwithinthesystem,otherwisethepasswordfortheuserisused.Medicale-prescriptionsarealwayssignedwithaPIN-code.TheplanatthetimeofstudywasthattheuseofRSID-CardwouldbeintroducedmoregenerallyalsofortheMeliorusersduringlate2016.Eachsignoff(signature)inthesystemsrequireatleasttheapplicationofaPINcode,somesign-offsdoesonlyrequiretheloggedinstateandthepresenceofthecard.

The qualified digital signatures created using the RSID-Card are of PKI type withcertificatesthatexpire(inupto5years).

Preservation context

Thee-Archivecurrentlyholdsmedicalrecordsfor1300000personsbutsofarnodigitallysignedrecordshavebeeningestedtothee-Archive.NomedicaljournalshavebeenarchivedfromthecurrentjournalsystemsPMOorMelior.Thechance todefineanewcommonstrategyandprocess forhowtohandle therecordsanddigitalsignatureswhenjournalsshouldbearchivedisthereforepossible.

Tenders, Procurement & Supplier contracts As Region Skåne is a large, tax financed institution tenders, procurement and suppliercontractsareanimportantpartoftheoperationandarearchived.

Legal context

Thelawforpublicprocurementapply,andrequiredlegalpreservationisdependingonthetypeofcontract.

In some cases Region Skåne applies “permanent retention” in same way as for medicaljournals,butnotforall,itdependsontypeofcontract.




BothpreviousandcurrentITsystem(CSignandTendSign)usequalifieddigitalsignaturesfor the signing of contracts. The service supplier CSign delivers the digital signatures toboth systems, signatures are of PKI type and thus certificates expire. At the time of thisstudyabout1500digitallysignedrecordswhereactiveinTendSign(notarchived).


1500digitallysignedrecordshavebeentransferredfromthepreviousCSignsystemtothee-Archive. The digital signatures associated with the signed records are archived aschecksummed“metadata”.

The preservation of the signatures’ validity in this case “might” be said to follow the“system-dependency”1 policy recommended by the Swedish National Archives. RegionSkånehavenothadaconsciousdecisiontofollowthepolicyatthetimeofingestionoftherecordsbutthevalidityaccordingtothispolicycouldbeverifiedwithsomemoredetailedanalysis–mostimportantlybyevaluatingthetechnicalprocedureofrecordandsignatureingestiontothearchivefromthebusinesssystem.

Political decisions & meeting minutes Lotsof theoperationwithinRegionSkånerequirespoliticalmeetingsanddecisions, thusminutesfromthesemeetingsanddecisionsareanimportantpartoftherecordshandledbytheRegionandtheArchive.

Legal context

Required legal preservation of these types of records is flexible. Region Skåne applies“permanentretention”onallpoliticaldecisionsandmeetingminutes.


Today thesesignedrecordsarearchivedonpaper.Unsigneddigital copiesarepublishedforthegeneralpublic.Region Skåne is currently in the process of digitising this flow and intend to use digitalsignatures.Anewsystemisthusbeingspecifiedandevaluated.Becauseofthis,ananalysisoftheprocessandtypeofdigitalsignatureneededmightbeimportant.


Thenewsystemhasnotyetbeenfullyimplementedanddigitallysignedrecordsareyettobearchived.Thechancetodefineanewcommonstrategyandprocessforhowtohandletherecordsanddigitalsignaturesisthereforepossible.

1 ”System dependency” is described in the report ”Production and preservation of electronic signatures”producedandpublishedbytheSwedishNationalArchives.Inessenceitreferstoasysteminwhichtechnicaland/orsystematicmeasuresaretakensothattheytogethercreateasystemthatcanvalidateadataobjectbyensuringthatthedataobjecthasnotchangedandthatdataobjectwasisolateduntilpreserved.



E. Conclusions & Recommendations

Conclusions Region Skåne has a policy of permanent retention (no appraisal) for all record typesprioritisedinthisstudy.Thiscasestudyhighlightstheneedforacommonstrategywithregardstotheuseofdigitalsignatures and a common policy for archival procedures related to those. The currentsolutionsseemmorederivedfromthetechnicalcapabilitiesoftheusedITsystemsandnotfromspecificationsbasedonthebusinessandlegalrequirements.

FromanarchivalperspectiveRegionSkåneseesvalueinthelong-termpreservationofthevalidityofthedigitalsignaturesiftechnicallypossible.Thecostforsuchasolutionandthepossibility of integrating itwithin the current infrastructure is of course something thatneedstobeweighedagainstthatvalue.Thegeneralconclusionfromthestudyisthereforethatforcertainapplicationsandrecordtypeswithin the business of Region Skåne there is a value of preserving the validity ofdigitalsignatures,ifitistechnicallypossible,andthecostisnottoohigh.

DigitalSignatures:Signaturesofmanydifferentkindsareusedinmanydifferentwaysinalltypes of records and systems – bothqualifieddigital signatures andproprietary. Systemspecificsolutionsareusedaswellasscanningofthephysicalsignatures.

Valueofpreservation:Thiswasnot fullyrecognisedorclearlystated inallworkflowsbutthe study triggered discussions about the need for a focused analysis and a commonstrategy.The group conclusionwas that if itwas technically possible therewasno clearreasonnottopreservethevaliditywhenallotherpartsofarecordshouldberetained.Legalrequirements:Amedicaljournalshouldbepreservedforatleast10years,thuswellpassing theexpirationofanycertificate.TherecommendedSwedishpolicywithinhealthcare is “permanent retention” of medical records (no appraisal), which Region Skånefollows. Therefore, preservation of digital signatures’ validity is of interest though notexplicitlynotedasarequirementbythelaw.Archivedsignatures:Recordssignedbyqualifieddigitalsignaturesandthedigitalsignatureitself have been archived in different ways, without an agreed stated common strategy.Region Skåne expressed an interest in better understandinghow this should be created,planned and implemented, preferably without a specific supplier dependency. Today asdescribedbyRegion Skåne, because a lack of policy andbecause of technical limitationsarchived digital signatures are kept asmetadata together with archived digitally signedrecord. If system and ingest procedures from business system to archive is secure, thevalidity of signatures might be considered as preserved according to the “systemdependency”policydefinedbytheSwedishNationalArchives.

Preservation of validity: When a signature is archived today it is not considered forverification of validity, only saved as metadata. If a signature might be needed forvalidation in the future theyarecurrentlykept in thesourcesystem.Nootherexpressedstrategy or a proprietary process being able to recover or prove signature validity wasnotedasexistingattheRegioncurrently.



Recommendations RegionSkåneshoulddescribeandagreeonacommonstrategyforhowandwhenqualifieddigitalsignaturesshouldbeused.Bothinwhatusecasesasignatureshouldbecreatedandwhenandhowitshouldbesavedand ingestedtogetherwith itsrecordto thearchive. Itshouldbeastatedaspirationthatqualifieddigitalsignaturesareusedinaconsistentwayinallworkflowsandsystemsrequiringsign-offandsignatures.WhenanewITsystemisprocuredand integratedaspecificationshouldexistonwhat isrequired from the business and legal perspectives to adhere to the stated strategyregardingsignatures.Allcurrentbusinesssystems,usedforthemostprioritisedrecords,havethecapabilitytouse and create qualified digital signatures based on the RS-Cards. Because of this theRegion Skåne could build mainly on the existing authentication infrastructure foremployeesanduseMobileBankIDforothers.TheRS-Cardsareperfectforcreating“strongauthentication”andqualifieddigitalsignatures.When proper digital signatures are created for the records, a proper strategy forpreservingthevalidityofdigitalsignaturesshouldalsobemadeiftechnicallypossible.Asitwasshownearlier,thevalueofthesignature’svalidityshouldnotbeseenaslessimportantthan the value of other attributes or information in a record. If the validity can bepreservedwithoutunreasonablecostitwouldbestronglyadvised.TheRegionSkåneshouldmakeachoiceofhowthedigitalsignaturesshouldbepreserved:

• asmetadataonly(tryingtopreservesecuresystemdependencyinallsteps)• apossibleTRUSTERapproach.

InterPARES Trust Case Study · 5/11/2017 · Document Control Version history Version Date By...

Documents

Transcript of InterPARES Trust Case Study · 5/11/2017 · Document Control Version history Version Date By...