Author: Kurt Rindle

Understanding Identity Providers in the Telematics Infrastructure 2.0: What Healthcare Insurers Need to Know

As part of Telematics Infrastructure 2.0 (TI 2.0), statutory and private health insurance companies in Germany will be obliged to offer an Identity Provider (IDP) starting 1 January 2024. With the help of these IDPs, insured persons will receive a digital identity that enables them to authenticate themselves securely and reliably for digital applications in the TI. This allows them to conveniently and securely access services such as the electronic patient file (ePA) or the app for e-prescriptions and use electronic signatures.

The telematics infrastructure (TI) plays a vital role in the digitalization of the healthcare system in Germany. It enables the standardized and secure exchange of information between various players in the healthcare system, including doctors, hospitals, pharmacies, and patients. The TI enables the automated and structured exchange of important healthcare data between all parties. The digital transformation of the telematics infrastructure allows users to communicate, exchange, and network with each other. Using innovative digital applications such as the electronic patient file (ePA) or the app for e-prescriptions ensures faster and more efficient patient care.

Access to this TI service was previously provided via the electronic health card (eGK) for patients, the health professional card (e-HBA) for doctors, and the HSMC-B card for service providers and has been successfully established in the TI since 2022. With the publication of the new strategy for Telematics Infrastructure 2.0 (TI 2.0) by gematik, the transformation from a closed industry network to an open zero-trust framework is now beginning. Zero-trust in the TI means that participants do not automatically trust each other. Instead, the trustworthiness of each user is consistently checked. Users' trust is digitally verified when they want to access a TI service. However, this basis of trust expires as soon as the service is accessed. This opens the door to using digital health applications as part of a more comprehensive European healthcare system, in which proven technologies and interoperability standards are combined in a harmonized public key infrastructure.

A central pillar of the new TI 2.0 is the authentication of insured persons via a digital identity to gain secure access to digital applications. Identity providers are specialized service providers that manage digital identities and verify a user's identity online. As a result, statutory health insurance funds and private health insurers that have joined gematik are now obliged to offer their policyholders such an IDP by 1 January 2024 and have it approved by gematik.

In this blog post, you can find out what health insurance companies should know about identity providers and how they can benefit from digital identities in TI 2.0.

What are digital identities and identity providers?

Digital identities in healthcare refer to the online identity of a person or an organization. They consist of various information and attributes such as name, date of birth, health insurance number, and other identification and security features that can be assigned to the person or organization. In TI 2.0, they will be used as an alternative to the health card and provide health insurance holders with secure cardless access to all digital applications, protected resources, or health insurance services within the digital healthcare system.

An identity provider (IDP) is a service provider that creates and manages digital identities for insured persons and provides authentication services on behalf of the health insurance company. The identities issued by IDPs are based on OpenID Connect, an internationally established standard for token-based access. This allows insured persons to access TI 2.0 services effortlessly and without re-authentication after initial registration.

How do I obtain such a digital identity?

To obtain such a digital identity, the insured person must complete a one-off registration process in the app provided by the health insurance company. This requires the insured person to be uniquely identified. There are currently various identification options available to the insured person, such as the online ID function of the electronic ID card, the electronic health card (eGK) with the PIN issued by the health insurance fund, or an on-site identification procedure, for example, via POSTIDENT at a post office or insurance branch. To protect the issued digital identity against misuse, the IDP must provide 2-factor authentication by the SCAL-2 standard as per ETSI.

Advantages of using an IDP for health insurance companies

Deploying an IDP offers numerous benefits for health insurers, including secure authentication, simplified login processes, optimized interoperability, and the ability to integrate innovative technologies. By managing digital identities, health insurers can ensure that only authorized individuals and policyholders can securely authenticate themselves to access their services. This protects policyholders' personal information, particularly in the healthcare sector, where sensitive medical data is processed.

In addition, the connection of an IDP through its OpenID Connect standard enables a fast and seamless connection to digital healthcare applications of TI 2.0. This means no complicated individual login processes with special hardware, e.g., card readers, must be implemented for insured persons. When logging in, the system automatically accesses registered identities that have already been confirmed, meaning that the insured person does not have to re-enter their login details each time. These registered identities can also be used for other applications in the future, such as digital proof of insurance or registration for qualified electronic signatures. This improves user-friendliness, saves the insured valuable time, and offers a legally secure conclusion to various healthcare transactions.

The IDP also improves interoperability between different digital applications and systems. Using a standardized identity management system, health insurance companies can facilitate communication and data exchange between other players in the healthcare sector. This facilitates collaboration and the exchange of information, which ultimately leads to improved patient care.

In addition to these benefits, an identity provider also makes it possible to integrate other innovative technologies. For example, biometric or password-less authentication methods such as facial recognition technologies or passkeys could improve digital identity security and protect against theft.

By implementing an IDP, health insurance companies can offer their policyholders modern and secure access to digital health applications while improving the efficiency and quality of patient care.

The challenges of connecting an identity provider

Health insurance companies face several hurdles when choosing and deploying an identity provider. One of the main tasks of an IDP is to ensure the security of digital identities and protect them from unauthorized access and misuse. In this context, health insurers' IT managers should regularly check whether the security measures implemented by IDPs are robust and comply with the latest regulatory and technological standards. Health insurance companies must plan the necessary resources and build the corresponding expertise. This is the only way they can gain the trust of their policyholders and enable the secure use of digital identities.

Another complex task is the integration of the IDP into the health insurance companies' existing IT systems. When selecting the IDP, it must be ensured that the interfaces are based on standardized OpenID Connect and work smoothly with the digital systems and applications. By carefully analyzing the existing infrastructure and working closely with the provider on planning and implementation, an IDP can be successfully implemented without any interruptions or problems.

If there are problems with the accessibility of the IDP or the health insurance companies themselves have to deal with technical difficulties, the underlying applications and systems for the authentication of insured persons can no longer be reached. This can lead to considerable disruption and impair the use of digital identities. There is a high risk that insured persons will be cut off from many digital applications, such as e-prescriptions or their electronic patient files, especially if users repeatedly log in to different services in the TI. Therefore, Health insurance companies should choose an IDP provider that can guarantee high availability and reliability and provide a wide range of authentication services so that insured persons can access their sensitive health and insurance data using a backup solution.

With the proper measures and expertise, the challenges can be successfully overcome so that the benefits of an IDP can be fully realized.

Is Swisscom Trust Services the right partner to provide a suitable identity provider?

Yes, Swisscom Trust Services is an accredited trust service provider that is the only one in Europe to offer qualified electronic signatures and seals by the EU eIDAS Regulation and Swiss ZertES law in the jurisdictions of the EU and Switzerland. It uses the best online identification services (including eID-Ident) on the market for the one-off registration of the signature. It offers numerous authentication solutions (IDPs) as signature approval methods via a broker. At the same time, health insurance companies, pharmacies, and other healthcare organizations can bring in their existing applications as independent IDPs, use them as a release solution for the electronic signature, and provide access to TI services. This enables all active parties in the digital healthcare system to sign various documents, e.g., e-prescriptions, referrals, medical certificates, and consents, in a legally secure and digital manner, which saves enormous costs, increases efficiency when exchanging documents in the TI and improves the quality of patient care.