«The ongoing development of the HIN platform is taking place in close cooperation with Nevis. Our mutual goal is and remains the digitalization of the Swiss healthcare system and the continued push for the added user convenience and efficiency that come along with it.»
HIN relies on Nevis AG solutions for Identity and Access Management (IAM), the verification of user permissions. Our quick and seamless solution as well as the flexibility to incorporate new authentication procedures were crucial to our cooperation which began in late 2013.
The migration of the IAM process proved very challenging as there were already 100 connected services at the start. The way these services are accessed was completely replaced, a process akin to an open heart operation. End-to-end testing was particularly challenging. The main issue here was to resolve initial performance problems: the HIN client to be installed on the respective workstations, the one usually used by doctors in private practices, contained added restrictions that limited the performance of the Nevis browser-optimized solution. As such, the solution had to be optimized for HIN’s requirements. Moreover, a lazy migration was impossible. Instead a big bang migration had to be performed – so a hard transition from the old to the new IAM system.
Today, all applications offered by HIN are protected by Nevis IAM. This involves automated reconciliation of data from the ERP system with the identity management, which creates users and assigns roles. Depending on which applications users obtain from HIN, they receive different permissions in the identity management. Reconciliation between the ERP and IAM takes place in real-time.
Application security is accomplished using various mechanisms including a web application firewall. This eliminates the possibility of data extraction through SQL injection or cross-site request forgery (attacks via the web channel). Passwords are only stored as a hash value and password policies define both the required length of the passwords as well as how frequently they should be changed. The solutions were audited and certified by KPMG in accordance with the Swiss eHealth standard – including the data center in Switzerland, which ensures that sensitive data does not leave the country’s borders.
The high level of flexibility of Nevis solutions is fully exploited by doctors for both the electronic health record and the Covid code web application. Both rely on Nevi’s secure authentication and integrate third-party applications to add a necessary range of functions.