This article is the third in a series on cybersecurity on the Evolucare website.
The deployment project
Deploying substantial means of electronic identification and strong authentication is a facility project. Indeed, although the french “Ségur Numérique” digital project has made this a requirement for access to the DMP (french national patient healthcare file), it wouldn’t make sense to deploy a specific solution for this access, and keep the previous solutions for other accesses.
As a software publisher, our primary responsibility is to ensure that our products are compatible with the solutions chosen by establishments, from among those authorized by the interoperability repository. For these solutions, since we ruled out the “weak reinforced EMI eIDAS” stage in the previous article, to go straight to the target, establishments are left with two options
- Use an “in-house” solution, with hardware chosen by the establishment, approved according to french ANSSI standards and accepted by ANS (french healthcare agency).
- Use a “market” solution, based on ANSSI-certified equipment, including CPx healthcare professionals chip cards.
This 2nd solution is the one recommended by Evolucare, as it offers the most guarantees to establishments, for the least effort, and is based on a standard maintained by the healthcare and cybersecurity authorities.
Taking a step back from the project, we can identify two main aspects to be addressed: the technical aspect, and the human aspect.
Let’s talk technology
As we have seen in articles 1 and 2, the technical side of this subject is not trivial, but it is the one that can most easily be supported by technologies, standards, and even project management and project management assistance companies. This is where we see the advantage of using CPx cards, since there is extensive documentation and feedback on their deployment.
Among the major technical issues to be addressed in the project are, first of all, the choice of hardware (physical cards or tokens, card readers, etc.) and, behind this choice, all compatibility issues (with the ActiveDirectory – the electronic directory of the establishments, with the software used, and with any physical access readers).
There is also a question of technical capacity, which the establishments do not necessarily have at the start of the project, and which will have to be built or reinforced to enable the system to be maintained in a safe condition thereafter.
The deployment project – Let’s talk human
On the human side, the deployment project can only succeed, and lead to new habits anchored in behavior, by taking into account change management from the outset, and anticipating the reactions of future users.
For this reason, it is advisable to start identifying at least one “key user” in each department, or within each type of population (doctors, nursing staff, administrative staff), who will be responsible for representing his or her colleagues, sharing their needs with the project team, assessing the acceptability of the proposed changes, and championing the project within the teams.
Modifying means of identification and authentication, particularly when implementing strong authentication with physical access, as with the CPx card, is not just a technical project, but also an organizational one. So, during the project phase, you need to think about future operating modes and their location. When will this authentication be used? Where will it be used? At what points in the medical process? How can it be integrated as seamlessly as possible into users’ movements? We also need to anticipate everyday difficulties, such as forgetting a card. The help of key users will be invaluable in finding answers to these questions.
One advantage of the CPx card, which can be duplicated on other systems if a different choice is made, is that it enables consolidation on a single medium, not only of computer access, but also of access to buildings, canteens… If possible, any element that can simplify users’ lives during this changeover should be implemented.
And don’t forget the badge’s accessories. A badge holder, to protect it. A badge dispenser, so you can keep it handy and easily operate access controls. A neck strap (with the establishment’s logo?) for those who prefer to wear it around their neck rather than on their belt.
The project will also need to include training for users, with “reference sheets” to be distributed liberally in the first few days after deployment, and reinforced support for a few weeks after each new deployment.
Let’s talk about the project deployment
If we now turn a little more to the temporal aspect, there are generally three main phases in deployment projects of this type.
A “POC” (“proof of concept” / preuve de fonctionnement): an initial, small-scale deployment on a team that does not perform a critical function in the establishment (for example, the IT team, or an administrative team). This POC is followed by a pilot, in which an entire business department is deployed, if possible on a voluntary basis.
These first two phases enable us to validate that we have mastered all the stages of deployment, operation and maintenance of the new system. They are a kind of “real-life testing”.
And finally, once you’ve got the hang of it, the roll-out itself, gradually, service by service, starting with the most critical services.
As part of this rollout, we recommend that, technical resources permitting, a “parallel run” phase be planned, where strong authentication with a substantial EMI is possible and recommended, but where previous authentication remains accessible, to quickly overcome any difficulties that may arise.
To ensure the project’s success, it’s best to adopt a “slow wins” approach, and not try to do everything at once. Deployment can be notched up not only on the site’s services, but also on the functionalities offered with the badge.
The conclusion of the project is the formalization of a security approval for the entire system, enabling the establishment to interface with the DMP (the AIR transaction) and its declaration to the Assurance Maladie.
Stay tuned!
Previously : https://www.evolucare.com/en/cybersecurity-episode-2-healthcare-id/