Digital healthcare: safety vs ease of use?

Digitalizing the healthcare system is an essential step to meet current challenges such as staff shortages, cost pressure and sustainability. Digitally mapped processes and data offer space for new diagnostic and treatment options as part of personalized medicine and also facilitate communication between internal and external actors within the healthcare sector. Individual patients themselves are also given greater influence to manage their own health through various apps and freely available information on the Internet.

The advantages of a modern, digital healthcare system are decisive and indiscriminate, yet the progressive digitization of processes and data also means that there is a larger attack surface for cyber attacks. This is particularly critical in the context of highly sensitive data processed in healthcare. It is therefore clear that digitization must always go hand in hand with a strong cybersecurity strategy. As part of this, a wide variety of measures are taken, such as specifically training employees, protecting everyday working processes and applications with passwords and, ideally, multi-factor authentication, and granting access only to authorized persons. However, in an already overburdened healthcare system, which must be able to act very quickly at decisive moments, these important and meaningful measures often fail due to usability. Because this usually does not only require one login, but several, time-consuming logins with a variety of applications and personnel of various authorization levels. But does good security always have to go hand in hand with poor usability? Or is there another way and how do the two factors influence each other?

The relevance of usability & security in the context of digital health products

The first user experience with a digital application in the healthcare sector is often the registration and account setup process and the subsequent login. If inadequate usability already complicates the process here, this negative user experience results in a poorer overall impression of the product and prevents patients, for example, from using this health app with pleasure and conscientiously.

It is the same with the processes required on a daily basis in a professional context. This gives employees access with unique, secure passwords for every application in order to prevent unauthorized access to patients' test results worth protecting. However, a variety of separate applications are used here, which require different passwords.

As a result of the poor user experience with a security feature that is difficult or cumbersome to understand or use, users are tempted to avoid these complicated steps. With multiple, simple passwords or shared access, they create a severe security vulnerability. The effectiveness of a security measure therefore always depends on usability: If it's not usable, it's not secure (Jared Spool). Conversely, this insight means that the two elements must be considered together from the outset. In practice, this process is referred to as security by design; security aspects must be included in the development process from the start and all relevant stakeholders (IT, data protection professionals, DevSecOps) must be involved throughout the course of the project.

The basic development process for a secure & user-friendly solution

From a user experience (UX) design perspective, this process starts with the basics of good software design, which also applies to security measures:

• Availability: Access is always available when needed.
• Robustness: Use is possible without disruptions, data loss and transmission errors.
• Fault tolerance: The ability to correct data if entries are incorrect.
• Comprehensibility: Clear, explanatory language of notifications and error messages.
• Accessibility: Accessibility for a wide range of target groups.
• Reliability: Consistency in user guidance in the form of platform-specific style guides.
• Confidentiality: Protecting sensitive data from unauthorized access.

In addition, it should be defined in advance what level of security is required. Among other things, this takes into account when which level of authentication is required, which data is collected, how many backups are necessary and where they are stored. In order to incorporate all relevant factors into the design process, UX designers have various toolsets available, such as user journey mapping, personas and even antipersonas. With the help of an antipersona, for example, the threat situation can be assessed in advance and the necessary countermeasures can be prioritized. Wireframes and prototypes help to implement them as clearly as possible.

Usable security for digital health applications in practice

In order to be considered useful for both healthcare workers and patients for specified standard topics such as documentation, etc., the above requirements must be implemented. Certifications are one way to communicate this achieved level and create trust. In the healthcare sector, there are no uniform, industry-specific seals, such as Trusted Shops for the e-commerce sector, but standards such as the ISO standard for information security management, the IEC standard for usability for medical devices and, for example, the BfAM certifies apps if they meet the BSI security requirements. These include a protection requirements analysis with regard to the basic values of information security such as confidentiality, integrity and availability, encryption of data, password requirements such as minimum length and error counter, two- or multi-factor authentication and administration and transparency about protected access.

These requirements regarding password and authentication policies as well as access restrictions are the same, which, as mentioned at the beginning, are also specified as measures of the cybersecurity strategy in the healthcare sector. However, to avoid the challenges described, such as complexity and lack of usability, the use of an identity and access management (IAM) solution helps. Here, features such as transparent user and access management and password guidelines with integrated multi-factor authentication are implemented in one solution and then implemented securely and in a user-friendly manner as a single sign-on (single login) instead of complex multiple logins.

IAM solutions as a standard for a functioning digital healthcare system

The relevance of such a solution can be best illustrated using the example of health insurance. Here, specialists and customers must log on and authenticate internally on several systems and externally on the customer platform. The single sign-on, which only allows access for authorized persons defined in advance in the IAM, requires only one login with a password instead of 5 different passwords. The time savings are enormous and password policies can be used to both control the strength of the password and avoid sharing accounts due to lack of access or lack of time. With regard to customer logins, there is clear transparency about authentications and reporting data.

In order to increase security beyond password guidelines and regulated access, multi-factor authentication for all employees should be able to be set up via the IAM solution, if required. Instead of just a username and password, logins are secured with other factors. How strong this factor should be depends on the chosen method. It is recommended to use an IAM solution with various integrated MFA methods so that the appropriate method, from one-time password (OTP) via e-mail, SMS, app to hardware security keys or biometric data such as FaceID or TouchID, can be selected even according to the required level of security of the healthcare facility. But usability is also a decisive factor here, because only if the IAM solution can be reliably operated without errors by administrators can access employees be quickly created or deleted and security procedures adjusted.

The right IAM solution for healthcare: Bare.ID

Basically, there are various solutions on the market, from complex proprietary software to innovative cloud solutions. However, since running a solution yourself or even using an OnPremise solution involves enormous effort for development, operation and maintenance and often fails in practice due to a lack of resources (capital & know-how), it is recommended to use a SaaS solution for the healthcare sector. Our cloud IAM solution Bare.ID enables access from anytime and anywhere, without the described resource-consuming factors. Bare.ID essentially uses the well-known, established open source IAM framework Keycloak and has extended this with numerous features. In contrast to other leading US IAM SaaS providers, the solution is hosted, operated and developed exclusively in and from Germany, is subject exclusively to German jurisdiction at all times and thus implements digital sovereignty and also meets the highest compliance guidelines. Bare.ID can therefore be used carefree and in compliance with GDPR even in heavily regulated healthcare. Bare.ID solves the usability challenges with a user-friendly, easy-to-use interface that clearly presents all necessary features and makes them easily accessible. This allows secure access to every user of a system to be quickly assigned and password sharing avoided.

By using Bare.ID as an IAM solution and a user-friendly login interface, software applications for the healthcare sector can meet both security and usability factors.

‍