Release 1

Readiness Criteria Checklist

Document Control Page

Document Title eHealth DSI Readiness Criteria Checklist

Project Title eHealth DSI Solution Provider
Version: 1.00
Date: 3/28/2017
Sensitivity: Internal
Authors: eHDSI Solution Provider
Revised by:
Approved by:

Document History

Edition Rev. Date Description of Change Action (*) Sheet

0 10 1/19/2017 Initial Version I All
Change of Title from "Information Security Controls Analysis"
Rating
to "Readiness Criteria Checklist"; Added Rating Criteria and
0 20 2/1/2017 I, R Criteria,
Scoring; Added Specific Questions for NCP implementation to
11, 17,
sections 11, 17,
Sections changed to the six areas / domains: Legislation;
0 30 3/6/2017 Organisation; Semantics; Information Security; Operations- I, R All
Services; Technical Domain
As
0 40 3/20/2017 Criteria inserted in domains/areas I, R
needed
As
1 0 3/28/2017 Criteria inserted in domains/areas I
needed
(*) Action: I = Insert R = Replace

Disclaimer
"Release Candidate" versions are provided for evaluation/approval purposes only. Minor updates that benefit the document maturity
are expected towards the "Production Release".
Responsibility for the information and views set out in this document lies entirely with the authors.
Reproduction is authorised provided the source is acknowledged.
 Rating Score Finding

Non Compliance 1 Finding-A

Partial Compliance 2 Finding-B

Compliance 3 Recommendation

Compliance 4 Satisfaction

Area

L. Legal-Regulatory Domain

O. Organisational Domain

IS. Information Security Domain'

OS. Operations-Services Domain

S. Semantics Domain

T. Technical Domain
 RATING THE CRITERIA

Criterion Implentation Level

0% - 25%

25% - 50%

50%-75%

75%-100%

RESULTS OF RATING

Area Average Score

RATING THE CRITERIA

Description
The requirement of implementing this criterion is not met.
A finding of this type can be a result but not limited to the following:
- a weakness that diminishes the readiness criterion
- a disregarded requirement/criterion
- a weak application of a control which under circumstances can bypass a requirement/criterion
- complete absence of relevant documentation
The Finding-A should be described in detail and supportive proof provided.

The criterion is understood and has proof of an ad hoc implementation.

A finding of this type is partially met but might have one or more limitations such as:
- Some inconsistencies in the the implementation
- Not adequately following the requirement
- Inconsistencies or gaps between the documentation and the actual implementation, which require imp
documentation and/or implementation.
- A weak application of a control which under circumstances can bypass a requirement and lead to a Fi
weakness

This is implemented to an extent where the criterion is largely met, and a documented description exist
It has a low impact but might become greater in time.
The fulfilment of the criterion should be monitored.

Fully implemented and satisfactorily and systematically executed.

Documentation is supportive and sufficient.

RESULTS OF RATING

Criterion/ Area Implementation Compliance

Not Scored

Not Scored

Not Scored

Not Scored

Not Scored

Not Scored
 Area Section Criteria - Checks Score
Area Section
Legislation and Regulation 0
Does the the NCPeHto ensure that relevant legislation and regulation is understood by establishing contact with the appropriate
authorities such as the EC and the National Administration?
0
Is the applicable legislation and regulation is referenced in the NCPeH governance documentation such as policies, plans and
procedures that are applying to all areas (semantics, operations, information security, technical, organisational)?
0
A process to notify for legislation etc. changes is in place including but not limited to review to determine the impact in operating
the eHealth information system
0
Does the NCPeH has in place contractual agreements with National Health Care Organisations to provide its services to
patients.
0
Does the NCPeH has in place contractual agreements with with its National contractual partners to provide services to patients
or services to the NCPeH organisation.
0
Is the NCPeH together with its national contractual partners is legally recognised as a data controller or data processor in
accordance with domestic data protection legislation.
0
Is the NCPeH together with its national contractual partners legally competent to execute contractual agreements with all
domestic partners in compliance with domestic data protection legislation?
0
Is the NCPeH together with its national contractual partners is legally competent to enforce audit and corrective actions
emerging from audits?
0
The OFW-NCPeH takes into consideration the following eHN guidelines:
• EU Patient Summary Guidelines
• EU ePrescription Guidelines
0
A single NCPeH communication gateway should be responsible for interaction with other MS NCPeH communication gateways
for cross-border services.

0
If a MS has two or more Regional Contact Points, it needs to nominate one to act as an NCPeH, to act as the national gateway
vis-à-vis other MS.
Is the NCPeH audited in compliance to this requirement?
0
The MS must ensure that the NCPeH for the CBeHIS has clearly identified the responsible data controller and data processor in
accordance with the provisions of Directive 95/46 EU.
0
The NCPeH must ensure that CBeHIS data is not transmitted to MS not belonging or allowed into the CBeHIS environment.

0
The NCPeH shall guarantee that all CBeHIS agreed service requirements and specifications (legal, organisational, semantic and
technical) are fulfilled (see. Operations - and Service Domain)
Average Area Score 0

Area Not Compliant

 Area Section Criteria - Checks Score
Area Section
NCPeH organisational Is the NCPeH compliant with the OFW-OFW-NCPeH in relation of having established a single NCPeH communication 0
responsibilities gateway for interaction with other MS NCPeH communication gateways for cross-border services?

Does the MS have Regional Contact Point (RCPeH) are replicas of both the technological and organisational 0
arrangements of a typical NCPeH and should follow the same principles and requirements as the NCPeH.
Is there only one nominate to act as an NCPeH, national gateway vis-à-vis other MS.

What are the monitoring procedures established between the MS and its NCPeH? 0

Does the NCPeH provide national training materials and activities to support the CBeHIS operation? 0

Has the NCPeH established the connection with the national infrastructure? 0

The NCPeH shall establish appropriate security and data protection systems to conform to CBeHIS requirements as well 0
as all applicable national requirements.

The NCPeH shall collaborate actively on the harmonisation of guidelines and appropriate practices to facilitate the 0
establishment of the CBeHIS environment.

The NCPeH shall adopt a national OFW-NCPeH on CBeHIS that comprise commonly adopted policies, processes and 0
audit mechanisms.

The NCPeH must ensure the appropriate interface with the core services set up at EU level. 0

Average Area Score 0

Area Not Compliant

 Area Section Sub-section Criteria - Checks Score

Area Section Sub-section

Information Security Policy and 0
Management Participating MS must ensure that they are fully compliant with the CBeHIS Security Policy.

The NCPeH Security Policy Baseline creates a general security and data protection baseline adapted to
CBeHIS needs.

0
The NCPeH Security Policy Baseline addresses all elements of data flows in the CBeHIS, including national and
cross-border data flows.

0
The NCPeH shall take all reasonable steps to ensure data security (including data confidentiality, integrity,
authenticity, availability and non-repudiation).

0
NCPeH must ensure that cross-border data is not transmitted via these services to a Member State that either
does not belong to or is not allowed into the cross-border environment.

0
Member States shall ensure that communication of identifiable personal health data is subject to secure
communication and end-to-end security measures.

0
6.Member States shall ensure that their NCPeH establish an appropriate system of audit trail and shall

0
a) allow authorised official bodies to duly inspect the established mechanisms for data collection, processing,
translation and transmitting

0
b) make logs available for legal purposes, e.g. if requested by a patient.

0
The Member States must ensure that the eHNCP has clearly identified the responsible data controller and data
processor in accordance with the provisions of General Data Protection Regulation.

Average Area Score 0

Not Compliant
Area

Security Incident Management Information Security 0

Incidents Does the NCPeH has policies in place which set out how information security incidents, and breaches to the
confidentiality of data, should be managed?

0
Are the security responsibilities of technical staff, data security officer addressed at the recruitment stage,
included in contracts, and monitored during an individual’s employment?
Does the NCPeH engage employees and third party users of information processing facilities to sign a
confidentiality (non-disclosure) agreement?

Incidents affecting security MUST be reported to the designated (by each 0

MS) point of contact through appropriate management channels as quickly as possible.

Is all staff trained in security procedures and the correct use of the information processing facilities to minimize 0
possible security incidents and risks.

Responsibilities and procedures for the management and operation of information processing facilities must be 0
established. This includes the development of appropriate operating instructions and incident response
procedures.

Average Area Score 0

Not Compliant
Area
 Area Section Criteria - Checks Score
Area Section
Service The NCPeH shall guarantee that all CBeHIS agreed service requirements and specifications (legal,
Management organisational, semantic and technical) are fulfilled.
• Does the NCPeH has a documented Service Managmenet Process? 0
0
• Does the NCPeH has defined requirements for outsourced services ?
• Are these written in a Agreements such as Service Level Agreements, Underpinning Contracts,
Operational Level Agreements (including Warranty, Maintenance and Hosting agreements)?
• Is each service delivered by the outsources service provider defined, agreed and documented in at least
one SLA?

If two or more Regional Contact Points exists in MS, is there a formal nomination as which one acts as an
0
NCPeH, acting as the national gateway vis-à-vis the NCPeH of another MS?

• Do Service Level Agreements exists between the NCPeHs in the CBeHIS network define minimum 0
availability requirements?
• The cross-border services MUST be always available (7x7, h24);
• Do the SLAs defined the specification of an availability of hte NCPeH provided services of at least 95%
per month, 7 days per week, from 7:00 am to 8:00 pm?
• Do SLAs include agreements and exceptions on the service level targets and expected service workload
characteristics?

0
• Does the NCPeH compare service provision of the outsourced services with the agreed service levels?
• Are these levels compared and compatible with service levels of the NCPeHs in the CBeHIS network?

• Are the NCPeH agreed service levels between the CBeHIS network partners in line with the Service 0
Levels agreed between the NCPeH and his service providers?

• Does the outsourced service have a mechanism for keeping the service catalogue in line with 0
new/changed services?

0
• Is there an communication and escalation management process defined, agreed and implemented:
- For the NCPeH?
- Between the NCPeH in the CBeHIS Network?
• Does the NCPeH document the roles responsible for escalation management?

• Is the role of the Service Desk or Help Desk function defined?

• Are the organisational structures of the Service Desk function defined?
Service Level • Does the NCPeH receive at defined frequencies the Service Level Report(s) SLRs from the outsourced 0
Monitoring and service operators?
Reporting • At least once per month?

Are the full range of the outsources services documented? For example in a service catalogue? 0
Does each SLA between service provider and customer describe the exact services to be provided? 0
Are SLAs mutually agreed and authorized by the responsible stakeholders(formall agreements)? 0
• If multiple service providers are used for a variety of services: Do all support agreements support the 0
SLA between the service providers and the NCPeH needs? For example, is each contribution of the
correct scope?
• Are service targets compatible?
• Have differences in service hours been allowed for in the service targets?

Do all formal agreements reflect the potential need for changes to the service, workload or service levels 0
by including a mechanish for changing the agreements?
Is there a clause when contribution of service providers are to be reviewed and changed as NCPeH needs 0
change or the service needs change?
Are SLAs under the control of the change management process? 0
Are the SLAs maintained by regural reviews by the parties to ensure that they are up-to-date and remain 0
effective over time?
Are the service levels monitored and reported agaist targets? 0
Are trends in service levels reported and compared to current service levels? 0
Are the reasons for non conformance to targets reported in the SLR (service level reporting)? 0
Are actions for improvement identified, recorded and used as input to a plan for improving the service? 0

Average Area Score 0

Area Not Compliant

Area Section Criteria - Checks Score

0
Does the NCPeH have documented procedures for ensuring semantic transformation (e.g. translation and mapping),
which is needed for the cross-border information exchange, is performed according to the Ehdsi semantic
requirements and specifications defined?
0
Does the NCPeH have documented policies or procedures defining how to ensure accuracy and integrity of the
semantic processing?
0
Does the NCPeH maintain the national versions of the controlled vocabularies used in semantic transformation? Are
these versions management under change and configuration management?
0
Safe and secure cross-border care requires an ability to convey both meaning and context in data exchange. It is
agreed that to achieve this, it is necessary to have structured and coded data for identified fields.
0
The responsibility for the accuracy and integrity of the process is with each national designated competent entity for
such semantic processing.
0
The eHNCP must use the latest version of the Master Valueset Catalogue and the maintained national versions of
these controlled vocabularies used in semantic transformation.
0
Member States must ensure the eHNCP performs semantic transformation (e.g. translation and mapping), which is
needed for the cross-border information exchange.
0
Member States wishing to engage in cross-border communication must provide conformant messages operating to
standards agreed by the eHN. Internally, Member States may perform mapping, transcoding and translation activities
to local codes to support such activity.
0
Does the NCPeH have documented procedures for ensuring semantic transformation (e.g. translation and mapping),
which is needed for the cross-border information exchange, is performed according to the semantic requirements and
specifications provided in 6.4 Appendix D: Semantic requirements and specifications?
0
The responsibility for the accuracy and integrity of the process is with each national designated competent entity for
such semantic processing.
0

Liability for errors in the semantic transformation will be described in the MLA.
0
The NCPeH must provide a gateway service, a request port and a semantic transformation service in order to enable it
to execute the core steps in the CBeHIS (e.g. Patient Summary, ePrescription).
0

The NCPeH must maintain the national versions of the controlled vocabularies used in semantic transformation.
0

Each Contracting Party shall ensure semantic transformation as needed for cross-border healthcare via CBeHIS
0

Each Contracting Party is responsible for the accuracy and integrity of semantic processing and must therefore use the latest version of the Master Value Set Catalogue[1] and maintained national versions of these controlled vocabularies used in semantic transformation.
0
Each Contracting Party is liable towards Patients and other Contracting Parties according to Clause II.1.2 for any
damage resulting from errors in semantic transformation
Average Area Score 0
Area Not Compliant
 Area Section Criteria - Checks Score

Area Section
Member States must provide a gateway service, a request port and a semantic transformation service in order to enable the core steps for 0
relevant cross-border use cases to be executed.

The NCPeH shall guarantee that all cross-border service requirements and specifications (legal, organisational, semantic and technical) 0
agreed by the eHN are fulfilled.

The NCPeH must ensure the appropriate interface with the core services set up at EU level. 0

Average Area Score 0

Not Compliant
Area