The introduction of the electronic patient dossier (EPD) for Switzerland is already in full swing. It involves processing confidential patient data, as well as connecting COVID-19 test results to the SwissCovid app. But how can it be ensured that only authorised persons such as doctors or patients can access this sensitive data for both applications? By using identity and access management (IAM) provided by the Swiss identity provider Health Info Net AG (HIN) together with Nevis.
HIN is the standard for secure communication in the Swiss healthcare system and, among other things, takes on the role of an electronic identity provider (IDP) for professionals and institutions. To this end, HIN issues certified electronic identities with which employees can log into professionally relevant applications such as the EPD. Founded in 1996, HIN now includes health professionals from over 20 professional groups as well as hospitals, outpatient care facilities, nursing homes, pharmacies, cantonal and municipal offices and health insurance companies.
Authentication via HIN
If a potential user wishes to register to access applications protected by HIN, HIN needs to ensure that the information provided is truthful. This is done either by checking the identity documents via scanned documents or via video call. As an identity provider for people in the healthcare sector, HIN also checks profession-specific information, such as entries in the medical register for doctors. Afterwards, the users receive an identity and a means of authentication. These comprise a username and password, to which a second factor is added in each case. This is either via a text message or the HIN Authenticator App which supports a validation mechanism as well as the generation of one-time passwords or a hardware token. In addition to the two main procedures, the username/password procedure is only an alternative form of authentication.
Protection for EPD and the SwissCovid app
These authentication procedures are also used in the electronic patient dossier (EPD). Doctors and other healthcare professionals can use it to file documents on the respective patient. For both sides, this will facilitate access to health data. HIN ensures that all legal requirements are met with regard to the identification and authentication of authorised persons.
HIN is also involved in securing sensitive health data for the SwissCovid app. Like the German Corona-Warn-App, the smartphone application is intended to help break infection chains via contact tracing. The tracing system includes a mobile app, which has nothing to do directly with HIN, and the Covidcode web application. If a patient is diagnosed with COVID-19, the doctor logs on to the Covidcode web application using their HIN identity as authentication. Once logged in, they generate a code and then pass it on to the patient concerned, who in turn enters the code in their app. In this way, all contacts are automatically notified.
How Nevis authentication helps with IAM
In 2013, HIN was looking for new software to use as a basis for identity and access management (IAM), i.e., for checking a user’s authorisations. The Nevis solution was chosen because the company was able to convincingly demonstrate that problems that had existed previously are now a thing of the past, especially when it comes to flexibility in terms of newly introduced authentication procedures.
The changeover of the IAM procedure was tantamount to open-heart surgery because there were already 100 connected services at the beginning and the way in which these services are accessed had to be completely changed. End-to-end testing also proved to be a particular challenge, as the HIN client contained several restrictions that limited the performance of the browser-optimised Nevis solution. The solution, therefore, needed to be optimised to HIN’s needs. In addition, it was necessary to make a hard change from the old IAM system to the new one.
Today, all applications offered by HIN are protected by the Nevis IAM. It involves an automated comparison of data from the ERP system with identity management, in which users are created and roles assigned. Depending on which applications the respective user has obtained via HIN, different authorisations are assigned to him in the identity management system. This reconciliation between ERP and IAM takes place in real-time.
The high flexibility of the Nevis solutions comes into its own in both the electronic patient dossier and the Covidcode web application for doctors. Both use secure authentication with Nevis and integrate third-party applications that can be used to upgrade the required range of functions.
Two partners – one goal