Health-RI wiki v4.0 -> consultatie (open tot 03-12-2024)


Identification and authentication service

The identification and authentication service is a generic function used for research in the secondary process.

The identification and authentication service consists of a collection of applications that identify and authenticate a user. Identification and authentication are the first two steps in the access control process, authorization is the third.

  • Identification refers to making a user's identity known, whereby the user submits his or her digital identity to the system.

  • Authentication checks whether the user really is who he or she says he or she is. The digital identity is verified with the party that issued it, the identity provider.

  • Authorization controls access to services and data. This is out of scope for the Identification and Authentication service.

image-20240502-093919.png

Assumptions

  • The identification and authentication service complies with the NEN standard Identification & authentication (under development).

  • Health-RI itself does not act as an Identity Provider (IdP), but uses identities issued and controlled by other organizations, creating a federated trust network.

  • We use the AARC blueprint architecture as a reference architecture.

  • We use an interoperable IAA solution to connect internationally in the future and to enable single log-on in the Health-RI ecosystem.

  • We use eIDAS reliability levels

  • The required reliability level is determined per service and per dataset to which access is granted

Required functionality

  • Identify end users from the following user groups:

    • Researchers at UMCs

    • Healthcare providers and researchers at general and top clinical hospitals

    • Innovators (companies)

    • Policymakers

    • Patients/Citizens

  • A user who logs in to the national health data portal can use the data catalogue, the application system and an analysis environment, without having to log in again.

  • User information can be exchanged between different parts of the national health data portal for a personalized experience (dashboard).

  • Objects such as algorithms and processing environments can be identified.

 

 

Requirements for Identity Providers and IdP federations

  • The issued identity must have a high level of reliability, which means that we are almost certain to which person the identity is linked. To achieve this, the identity must be verified, for example through a passport control.

  • Identity information can be exchanged via the OIDC protocol.

  • To use services that provide access to highly confidential data, an IdP should require best practice authentication (currently Multi Factor Authentication with number matching).

  • IdP offers at least the following attributes:

    • User ID

    • Name

    • Organization

    • Role

Requirements for Identification and Authentication service

  • Complies with Government Information Security Baseline (BIO)

  • ISO 27001 certified.

  • Complies with the General Data Protection Regulation (GDPR).

  • Can connect different IdPs and IdP federations.

  • Uses the OIDC protocol.

  • Complies with NEN standard 7518

Expected setup per user group

Different user groups of the Health-RI ecosystem use different identities in their daily lives. We would like to reuse these to give them access to Health-RI services and thus also to health data. To do this, we need to investigate whether these identities inspire sufficient trust and whether they may and can be used by Health-RI.

Researchers
The largest group of users consists of researchers and data specialists at research institutions. These institutions are often members of SURF and their employees can therefore use identity federation SURF Research Access Management (SRAM).

Healthcare workers
Health-RI is investigating whether healthcare workers will be able to access the ecosystem in the future via a recognized login method (for example Yivi) in combination with attributes from the DEZI register.

Innovators
Innovators and researchers at companies could gain access to the ecosystem via their company account and the organization's identity register (for example Azure AD). This requires that agreements are made per organization about authorizations.

Other user groups
For the following user groups, no existing identities have yet been established that can currently be reused by the Health-RI ecosystem:

  • Policymakers

  • Citizens and patients

The legislation surrounding the processing of BSN is currently still an obstacle to the use of DigiD as a login tool for citizens and patients. In the long term, Self-sovereign Identity (SSI) is a possible solution for citizens and patients. In this case, not an identity provider, but the person himself has the evidence in his pocket to authenticate the identity and perform authorization and can offer this to a service via an app. A potentially useful SSI is the announced European Identity Wallet.

 

User group

IdP

Login means

User group

IdP

Login means

Researchers at UMCs and knowledge institutions affiliated with SURF

Institute

Institutional account via SRAM

Researchers at top clinical and general hospitals

UZI register

Recognized WDO login means that do not process BSN (e.g. Yivi)

Companies

Company personnel administration

Company account via own AD (e.g.. Azure-AD)

Possible suppliers

IdPs

Authentication services

IdPs

Authentication services

UMC’s

SRAM (SURF)

Yivi (icm UZI )

SURF Conext (SURF)

Life Science ID

TVS (government)

GA4GH Passport

Keycloak

 

LifeScience AAI

 

 

Â