Medical information is extremely sensitive, and its misuse can have very serious consequences—both social and, in some cases, even life-threatening. This is why the legislation of the European Union and Bulgaria pays special attention to the protection of this type of information. In the spring of 2024, the European Parliament reached an agreement to create the European Health Data Space (EHDS), where special attention is given to data security and infrastructure.
According to Bulgarian legislation, there are two levels of information security for public services—"substantial“ and "high." Given the sensitivity of medical information, the required level of security for all health-related data of citizens is "high."
To provide access to personal health information, the system must identify the user. Various means of identification can be used for this purpose. These means are usually divided into three main groups:
- Something I know
- Something I possess
- Something I am
The first group, "something I know," includes identification means that rely on the user's knowledge, such as a password, PIN code, PIC from NRA, NSSI, etc. Knowledge can be shared, whether consciously or not. Over 80% of data leaks are carried out through stolen passwords. It is extremely easy to steal a password, PIN code, or PIC using social engineering methods (phishing) or similar techniques.
The second group, "something I possess," includes identification means that are user's property—mobile device, qualified certificate storage device (QES flash drive), bank card, hardware keys, security tokens, etc.
The third group, "something I am," includes means using biometrics, such as fingerprints, retina scanning, visual biometrics, DNA analysis, etc.
The use of any means from any of the three groups can be valid only if the system can obtain evidence that this means truly belongs to the specific user. For means from the first group, several different techniques are used to validate the identity. To obtain a password, the user goes through a registration process where they enter their personal data, which is verified with the help of public registers, email address confirmation, SMS to a mobile number, etc. To obtain a PIN or PIC, the user must visit a specific institution (bank, NRA, NSSI) and be identified with an ID document.
In the second group of identification means, a trusted certifier is needed to ensure that the device belongs to the user. Such a certifier for the mobile device is the organization that issued the cloud-based QES (qualified electronic signature), and for the qualified certificate storage device, it is the organization that issued the physical QES.
Through the means falling into the third group, using biometrics, the user of a given device can easily be confirmed as a physical person, but their civil identity cannot be verified. There are certifiers that guarantee identity based on biometrics, but so far they either have security flaws or rely on relatively expensive technologies such as retina scanning and blockchain token generation.
Using an identification means from any of the three groups alone provides a "substantial“ level of security. To achieve a "high" level, identification means from at least two of the three groups must be used.
This is the reason why, when analyzing different methods of identifying the person wishing to access information from their electronic health record, identification with QES was chosen. It uses an identification means from group 1 - PIN and an identification means from group 2 - mobile device or qualified certificate storage device, depending on whether the user uses a cloud-based or physical QES.
The possibility of accessing the electronic health record by pairing a mobile device by employees of RHI, RHIF, and IS does not change the level of security, as identification means from two of the groups are used - mobile device and PIN/biometrics.