The authentication process in Personal Health Record service

By | Saturday May 27th, 2017

From a privacy perspective, SPID – Italian Public Service for Digital Identity is compliance with GDPR, because is a precaution to protect personal data (Art. 32).

Currently, in many online Personal Health Record services, is possible to perform the authentication by Level 2 of ISO / IEC DIS 29115 (Level of Assurance 3 (LoA3)) and not by Level 3 of the ISO / IEC standard (Level of Assurance 4 (LoA4) DIS 29115).

However, this appears to be at odds with the GDPR since, according to the SPID definition, level 2 is not an appropriate measure of caution for personal health data. The highest level of protection (level 3 of ISO / IEC DIS 29115) already exists and is provided free of charge to the citizen, not with SPID but through the National Health Card.

The transposition of the law did not take into account the ISO / IEC DIS 29115 standard. This is probably because, in the past, to make easy for the use of online services to the citizen, some health companies have lowered their Security in the authentication process by implementing an OTP – One Time Password mechanism. As a result, the risk associated with this process has increased.

However, citizens using SPID or other OTP authentication systems are not aware that their data is not guaranteed with the maximum security level expected.

There are a number of malware that can eavesdrop the password and the OTP on the same device: smartphone authentication with OTP via SMS can be quietly ‘hacked’.

I propose two questions: in case of violation of health data, how will responsibility be shared? Can the liability also be extended to the IP – Identity Provider who provided the authentication service with a non – standard assurance level?

Category: Impact, Risk and Measures Roles and Liabilities Tags: ,

About Giampaolo Franco

Giampaolo Franco, degree in Computer Science, Certified Information Security Manager (CISM). Dr. Franco has more than 10 years of experience in governance, risk management, and compliance at Azienda Provinciale per i Servizi Sanitari (APSS, the main healthcare provider of the Autonomous Province of Trento). He is involved in several activities at APSS, including business continuity and disaster recovery, risk analysis, privacy compliance, awareness, internal / external audits, incident management, optimization and quality control of IT processes. Previous work experiences include project management, analysis and programming for several financial institutions. He has also been a consultant for the University of Trento, working in a project aimed to define organizational and security aspects related to the introduction of integrated models of digital teaching in school. Dr. Franco continues to pursue research, education and awareness activities related to information security for the Public Administration with remarkable passion and leadership. He is a member of the ISACA VENICE Chapter, Oracle Community for Security and contributor of Europrivacy. In 2016 he's the winner of the European Institute of Innovation & Technology - EIT Digital pre-incubation programme with a project on Art&Technology.

One thought on “The authentication process in Personal Health Record service

  1. riccardo.abeti

    Per quanto ne so, la modalità di accesso ai FSE nelle diverse Regioni è piuttosto eterogenea. In caso di violazione occorre definire dove la violazione vada ad incidere e il perimetro che è stato violato. Se il breach avviene attraverso carenze dei sistemi alimentanti il FSE oppure se le carenze siano imputabili a chi gestisce il sistema FSE (la singola regione).
    Può inoltre capitare che la violazione venga condotta, ad esempio, attraverso la piattaforma resa disponibile dal MEF.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.