accelerated security certification accreditations Approvals Career career Checking electronic components in payment transactions Compliance in banks Compliance within banks General General

Digital identities in healthcare – an overview

Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH

Digital identities in the health sector – an overview
Digital identities can take many different forms. All have their justification and all have their advantages and disadvantages. Some are particularly convenient to use, others are particularly secure, and still others are particularly innovative. Which is the best choice for the German health system? Is there even one solution? Currently, there are different versions and in the future there will be another one.

Digital identities are a prerequisite for the use of digital personalised services. This is also the case in the health sector. For example, someone who uses an electronic patient record (ePA) probably wants to find their own health data in it and not the data of another person. It is even less desirable that one’s own patient record can be viewed by other people without authorisation. In order for the ePA record system to correctly control access to the records, they must be assigned to an identity, a digital identity of the insured person.

gematik GmbH is responsible for the design of digital identities in the health sector. This company was founded in 2005 on a legal basis (cf. SGB V) and was given the task of establishing the telematics infrastructure (TI) for the secure digital networking of the actors in the health care system.

Currently, there are various forms of digital identities in the TI. The most widespread is the digital identity in the form of a cryptographic key in connection with a certificate from the public key infrastructure (PKI) of the TI, which is stored on a personal smart card. A good overview of the smartcards used in the TI can be found on the gematik specialist portal under the title “Smartcards in der TI”.

Smartcards in the TI
Probably the best-known smartcard in this context is the electronic health card (eGK), which all people with statutory health insurance in Germany receive from their health insurer. On the one hand, the eGK serves the insured as proof of health insurance, on the other hand, it can be used by the insured for authentication vis-à-vis the specialised services of the TI such as the ePA or the electronic prescription (e-prescription).

In addition to the eGK, there are other smart cards in the TI such as the health professional card (HBA), which stores the digital identity of a service provider (e.g. doctor), the SMC-B, which as an institutional card stores the digital identity of a service provider institution (e.g. doctor’s practice), as well as device-specific smart cards for the connector (gSMC-K) or eHealth terminals (gSMC-KT).

With the ePA, the first specialist service came into the TI that the insured person could access from his own terminal via the internet. The patient data stored in the file belong to the personal data requiring special protection according to Article 9 of the GDPR. The sensitivity of this data requires a correspondingly high level of access protection. This also includes the level of trust in the authentication of the user. In order to achieve the necessary level of trust in the authentication of the insured person, authentication by means of the eGK was specified. Here, the insured person uses his personal terminal and his ePA frontend of the insured person (ePA FdV). During authentication, the file system sends a random number in a challenge-response protocol. The insured holds his NFC-enabled eGK to his NFC-enabled terminal and signs the random number with the key material on the eGK. The signature can be verified by the file system and represents proof of successful authentication. In addition to a compatible terminal device, this process requires an NFC-enabled eGK and knowledge of the PIN. The use of an additional hardware token such as a smart card also represents a hurdle in use to date. In order to prevent this, gematik also introduced the so-called alternative insurance identity when the ePA was introduced.

The Alternative Insured Person Identity
The alternative insured person identity (al.vi) shifts the signature of the random number in the challenge-response procedure between the file system and the front end from the eGK to a signature service. The signature service stores a separate signature key for each user, whose signatures in turn can be verified via a certificate from the TI’s trust space. To use the signature key, the user must authenticate himself with the signature service. Any authentication procedure that fulfils the trust level of at least substantial according to the eIDAS Regulation can be used. This means that procedures without additional hardware can also be used. Compared to the eGK, the signature service has the security-related disadvantage that the insured person no longer has the signature key directly under his control.

The Identity Provider Service
With the introduction of the e-recipe, gematik relied for the first time on the model of an identity provider service (IDP service), which today is also called central IDP or smartcard IDP. The idea behind this is to detach the functionality of user authentication from the specialised service and have it carried out by the IDP service. The IDP service then provides the specialised service with an authentication confirmation based on OpenID Connect. In this way, each service fulfils its functional purpose. In addition, the IDP service can, at least in theory, also authenticate users for other specialised services, such as the ePA. The authentication functionality thus does not have to be specified and implemented anew for each specialised service and the user can reuse his existing registration with the IDP service. Since the eGK must again be used for authentication with the IDP service, the same digital identity is used here as before with the ePA. Although the user can also use biometric procedures for authentication after initial identification, depending on the properties of his terminal device, he must also authenticate himself regularly with the eGK (except for a few suitable terminal devices) in order to maintain the security level.

Fasttrack
The Fasttrack solution was developed to provide the insured person with access to the e-prescription that is as convenient as to the ePA. Here, the IDP service is coupled with the signature service of the ePA, so that authentication via the al.vi is possible. However, a prerequisite for use is that the insured person has an ePA and has set up the al.vi.

Federated identity management
At the end of 2020, gematik published the white paper Arena for digital medicine and announced, among other things, TI 2.0 in it. In this context, another model for digital identity was presented, federated identity management.

In federated identity management, there is no longer a central IDP service, but a set of so-called sectoral identity providers (sectoral IDPs) organised in a federation. Sometimes we also speak of decentralised IDPs. As with the central IDP, the basis is again OpenID Connect. This also applies to the federation on which the OpenID Connect Federation Standard is based. The sectoral IDPs are to be provided by the health insurance funds. The idea is that each health insurance fund manages the digital identities of its insured persons, authenticates the insured persons and confirms this to the specialist services in the TI and future TI 2.0. The federated identity management is intended to implement the requirements of § 291 SGB V, according to which the statutory health insurance funds must provide their insured persons with a digital identity on request from 1 January 2023. Since the final specifications for federated identity management have not yet been published as of mid-December 2022, the actual introduction of these digital identities will probably take some time.

Conclusion
There are currently various forms of digital identities in the TI. With the introduction of TI 2.0, federated identity management could displace the other forms. The legislator also seems to be planning this. For example, the Digital Care and Nursing Modernisation Act (DVPM) states that “the digital identities shall serve in the same way as the electronic health card for the authentication of the insured person in the health care system and as proof of insurance”. However, according to the currently published draft specifications, the eGK continues to play a role in federated identity management for the authentication of the insured person. For the time being, all the described forms of digital identities will probably retain their relevance for a functioning TI and an increasingly digital healthcare system.

This article was also published on:
Press contact:
Patrick Schulze
WORDFINDER GmbH & CO. KG Lornsenstraße 128–130 22869 Schenefeld