Health data is particularly sensitive: There are only few things that scare people more than the news that this highly personal information may have fallen into the wrong hands. It’s a horror scenario that patients and healthcare institutions are confronted with time and again, however, because cybercriminals have no scruples. One of the most serious incidents in recent years was the attempted blackmail of the Finnish psychotherapy company Vastaamo, at the end of which some 30,000 treatment records were freely available on the net. According to a recent study by Kaspersky the loss of patient and company data is considered one of the most significant cyberthreats in the Swiss healthcare sector. Clinerion, a company specialising in medical informatics, has therefore opted for particularly secure two-factor authentication compliant with the FIDO standard (Fast Identity Online) to protect its data. In addition to the added security, this also enables passwordless login. Nevis was chosen as the partner for the project.
Clinerion’s Patient Network Explorer is a tool that optimises patient recruitment for clinical trials by making the search and identification of potential candidates more efficient. Researchers can use the cloud application to display search results for suitable patient groups, for example for clinical trials of new pharmaceutical products. These also serve as a basis for enquiries to the hospitals in the network.
The clinics have their own servers for patient data that has been anonymised in accordance with GDPR and which must be reconciled. The patients’ data is not stored in the cloud itself; rather, the systems exchange data with each other when requests are made. During this process, it must be ensured at all times that no one can log into the Patient Network Explorer without authorisation and access data.
As a new security factor in the login process, Clinerion (in cooperation with Nevis) has introduced two-factor authentication according to the FIDO standard. It is available in both Android and iOS in a version of the Nevis Mobile App that has been branded with Clinerion’s corporate identity. The Nevis Authentication Cloud allows passwordless login, which makes the user’s daily work easier.
Integrating the Authentication Cloud does not require any extensive intervention in a company’s security architecture. At Clinerion, the actual API integration of the solution in the back end was also simple and took only a few days. It took more time and some additional corrections to adapt the software, especially for Android. Many users have company mobile phones on which older versions of the operating system are installed. Equally essential is the presence of biometric sensors, which are only installed in newer devices. A fall-back functionality is available for such cases; alternatively, authentication can still be done via e-mail or SMS. For devices running iOS, on the other hand, the situation is different. It turned out to be advantageous that Apple also supplies its older models with the current version 14 of the operating system.
In the medium term, this will of course be fine-tuned in order to further increase the security of the registration process. Gradually, Clinerion’s customer base is phasing out their older Android devices and replacing them with newer models. As soon as adequate penetration has been achieved here, FIDO-standard two-factor authentication can be made mandatory for logging in. At this point, since there will no longer be any need to register via e-mail or SMS, there will also be a cost-saving – another plus point of the mobile app.
No new authentication procedure can be implemented without an extensive test phase. This will also be the case with the mobile app and the Authentication Cloud. Due to the manageable size of the project, it was not necessary to outsource testing or carry out extensive trials with the participation of users. Instead, the developers were able to put the application through its paces themselves before it was released. During the final phase of the project, one factor became apparent that must always be considered in-app publication: The publication of an application in the Google and Apple stores is relatively complex and associated with longer waiting times – in order to complete the process as quickly and efficiently as possible, Clinerion was able to rely on the support of Nevis.