Cybersecurity, episode 2: healthcare identification, reference systems

This article is the second in a series on cybersecurity on the Evolucare website.

Identification requirements and standards for healthcare systems

In a context where cyberattacks are increasing exponentially, and where the healthcare sector, in the midst of a digital transformation, is particularly hard hit, wave 2 of the french “SEGUR Numérique” national digital healthcare project requires establishments to implement, by 12/31/2025 at the latest, two-factor authentication and substantial means of electronic identification within the meaning of the eIDAS reference framework.

But what does this mean in concrete terms?

“eIDAS”, is the European standard for electronic IDentification Authentication and trust Services. It has been in existence since 2014 and defines a set of standards on the subjects of electronic identification and trust services on electronic transactions.

In particular, it defines a confidence level scale for Electronic Means of Identification (EMI).

If we continue the parallel with the physical world, compare your voter’s card (paper, bearing your first and last name), your driving license (paper or plastic, bearing a photo, your first and last name) and your identity card (plastic, renewed every 15 years, bearing a recent photo, your first and last name).

It is possible to identify/”authenticate” yourself with all three, but in certain, more sensitive cases, you will be asked for the most secure means of identification of the three. For example, in communes with more than 1,000 inhabitants, you can vote only with your identity card, but not only with your voter’s card.

In the same way, electronic identifiers can be classified according to the way in which they are generated, handed over to their owner, managed, taken over and authenticated: low, substantial, high.

The aim of SEGUR wave 2, in order to strengthen the security of healthcare information systems, is therefore to lead players towards substantial, rather than weak, means of identification.

To summarize the “substantial” EMI, a diagram is better than a long speech:

The substantial EMIs in the eIDAS sense available today are :

• CPx cards (healthcare professionals french chip cards) which also have the advantage of being free of charge
• French national agency ANSSI-certified EMI (FIDO keys, like some YubiKeys)
• EMIs independently certified via the ANSSI certification process (costly in terms of time and effort)
• Authentication via ProSantéConnect (French healthcare professional network)

A progressive yet ambitious timetable

In the official timetable, it is possible to envisage a gradual transition, with “reinforced” weak EMIs as an intermediate stage before moving on to substantial EMIs.

Authorized electronic authentication methods for players in the healthcare, social and social care sectors

However, as articles 3 and 4 in this series will show, the project to implement substantial EMIs is a real facility project, requiring human, technical and monetary investment, and our recommendation is to decide now on a strategy for switching to substantial EMIs and two-factor authentication without any intermediate steps.

Stay tuned!

Previously : https://www.evolucare.com/en/cybersecurity-episode-1-identification-authentification-autorization/

Sources (in french)