I recently stumbled on a possibility offered by my pharmacy to get online access to my medication dossier (access to previously prescribed medication, functionality for repeat prescriptions). My pharmacy is part of a larger franchise chain in the Netherlands, and this Digital Medication Dossier is offered for all member pharmacies. In itself I think offering this online access is a good idea, I want to have easy access to information about medical information about me, including my medication… Also because national initiatives are going quite slow, I appreciate innovation by individual healthcare providers. So I went to try it out. Of course, I was especially focused on how they handled the identity/authentication/privacy aspects.
At a high level they seem to have things under control. They use two-factor authentication (username/password and SMS one-time-password), combined with a face-2-face check where I had to show my passport (or ID card or drivers license). This is roughly the same as is proposed for patient access to their the national health record (at least, till eavesdropping of SMSes becomes too easy).
There are however three major concerns that I want to discuss.
Re-use of identities. I have to create a separate identity just for this service. I will of course forget my password, have to remember to register a new phone number should this change, have to go there to show my passport etc. I want to re-use a previously established identity! As far as I can see there is no reason why they couldn’t use the Dutch national citizen-to-government identity solution DigiD level 2, possibly supplemented with a face-2-face check by themselves (this is lacking in current DigiD level 2, but is expected to be added for access to the national health record).
Sidenote: earlier this year NICTIZ asked me to write a whitepaper on how to deal with online identity for consumers/patients. It is available on their website (in Dutch, titled “e-identity: zorgeloze identificatie van zorgconsumenten”). I advocated the re-use of existing identities, including usage of DigiD (at an appropriate level of assurance). It is targeted at non-identity experts, such as policy makers in healthcare and people working for health providers that want to deploy e-health services. Related to this, an article in the Dutch ICT Zorg magazine has some interesting quotes on using DigiD for health services.
Reset of password by email: Another point is that when someone forgets their password, a new password is sent by email. This password is thus send unencrypted (and it is only 4 chars). Not a good idea I think. What I considered is worse than it being unencrypted is the risk this poses for people that lose their smartphone. If someone else has access to your smartphone, it typically means that the thief/finder has access to not only SMS messages but also email since smart phones are typically set up to receive emails without requiring the user to provide a password. With increasing penetration of smartphones (about 1 out 5 persons in NL and increasing) this is significant. Or put differently: I do NOT consider access to email and SMS as separate factors anymore.
HTTPS inside a frame: the privacy and security sensitive information is I think sent over a HTTPS connection. I checked this for one of the pages where this is the case, and suppose they did they for all other pages as well. This is however basically hidden from the user since the service runs inside an iFrame that is in a webpage that uses HTTP. The address bar therefore does not say “https”, and there is no “padlock” next to the address bar to click on to check the certificate. It is therefore not transparent for users if HTTPS is used, nor can they verify with who the secure connection is set up. Even if lots of users won’t be aware, empowering users to check these things is the least we can do. In addition, the webpage displays a padlock-icon inside the page that when you hoover over it, that will say that SSL is used. This is training users the opposite of what we should train them. Phishers and other cybercriminals will be grateful.
My guess is that my pharmacy does it like this because the Digital Medication Dossier is actually offered through another company (Pharmeon), and offered it inside a frame is an easy way to integrate the Digital Medication Dossier in the website of the pharmacy. This is however not nearly a justification IMHO.
Especially my first two concerns could be addressed if they simply used a high-trust government (DigiD level 2+) or non-government federative identity solution. High-security non-government identity solutions for consumers are not yet available in the Netherlands, but we’re working on this in the cidSafe project.
UPDATE: update deeplink url to Nictiz whitepaper on 12 January 2011
UPDATE: and again on 26 May 2011