With the legislative developments and the PGSSI-S framework set by the ASIP Santé organisation notably, hospital centres have to implement a General Policy for the security of their Information Systems.
As a matter of fact, the establishment can be held legally liable in case of breaches in the processing and handling of medical data (patient’s rights law of 4th March 2002).
Moreover, a growing number of establishments mutualise their equipment and exchange sensitive data about their patients. Practical issues then rapidly arise on how to ensure the confidentiality of exchanges and restrict access to hospital centre users who would be tempted to access sensitive information about patients with no authorisation…
To secure a hospital IT system, strong authentication must be implemented with a CPS smart card (Healthcare Professionals Card) or an establishment badge.
As a reminder, strong authentication (two factor authentication) combines a physical device (the user’s card) with information known from the user (the card’s PIN code).
The PGSSI policy defines 3 security levels for healthcare establishments, according to the practices to implement. Strong authentication is based on the CPS card which is distributed by the ASIP organisation. It contains a certificate with the professional’s national identifier. It is one of the most currently used authentication means: it enables verification of the card holder’s identity and allows authentication operations on medical applications and on the hospital IT system.
The CPS card offers multiple advantages:
- It embeds ASIP Santé certificates for strong authentication: no need to manage a PKI infrastructure internally.
- CPS cards are issued and renewed by ASIP Santé.
- Devices are free.
- The CPS card allows public authentication to be performed outside of the hospital IT system.
- And above all, CPS cards v3 embed a contactless chip and are thus multiservice cards!
This type of device allows to centralise all of the services offered by the establishment within a single card. Over with badges dedicated to a specific use: access to the establishment restaurant, car park or premises, authentication to the hospital IT system…
This “multiservice” device is easily adopted by the hospital staff: people use it for their daily needs, which considerably reduces cases of forgotten or lost badges.
A single sign-on (SSO) solution is the ideal complement to strong authentication. It helps turn regulatory constraints into real assets. The card is felt as a real improvement in terms of comfort in everyday life as all the operations on the various medical applications are made easier thanks to the automatic injection of the connected user’s login/password pairs. Locking/unlocking the workstation is more simple and faster, as users only have to present their cards to open a work session or get back to it.
The hospital staff is more efficient, saves time and can therefore concentrate on more important tasks, for the patient’s benefit.
The hospital IT system reinforces traceability and anticipates future needs in terms of mutualisation or sharing of applications, specifically with the support of identity federation. Take for example a professional wishing to access a service on a healthcare regional portal: federation can be implemented between this portal and the user’s establishment in order to save this user from having to reauthenticate to the portal which requires strong authentication. The federation implements standard protocols such as SAML or Interops in order to exchange the user’s identity securely.
To meet these challenges, each establishment must therefore be pro-active to secure its hospital IT system and focus on the following key points:
- Conduct an audit to find out what the hospital IT system lacks in terms of access control and traceability, based on the guidelines set by ASIP Santé.
- Implement a strong authentication solution using a smart card (CPS card or establishment badge).
- Use an access control and single sign-on (SSO) system to enhance traceability and address all password issues related to applications.
Such securing operations will also bring along more comfort and ergonomics to hospital workers who use multiple medical applications daily: they will only have to remember one PIN code instead of numerous passwords… And they will be grateful to you.