Digital identities and ID wallets are becoming increasingly important and play an important role at EU level. The German federal government is conducting a national consultation process on the technical, professional and legal requirements for an identity ecosystem with a wide range of stakeholders from business and research.
The healthcare sector is not at the center of the consultation process and the discussion about a digital identity ecosystem. However, there are already very relevant solutions in the healthcare sector that could serve as a guide. Verimi, together with T-Systems on behalf of BARMER Krankenkasse, has received the first approval from gematik for the Verimi Wallet-as-a-Service product as a sectoral identity provider in the sense of a health ID in Germany. The health ID is based on gematik’s specifications and meets the specification’s very high security standards. The healthcare sector shows that a cloud-based ID wallet and a very high level of trust are not a contradiction in terms: The Verimi Wallet-as-a-Service is approved at the gematik_LoA_high trust level! If the various players from politics and business work together on solutions, a digital identity ecosystem can be successfully and quickly established in Germany.
Here are selected key aspects that illustrate how the healthcare sector can provide a model for an ecosystem of secure digital identities in Germany:
1. high level of trust in the healthcare sector: by definition, an ID wallet in the healthcare sector must meet the very highest security standards. In collaboration with the BSI and BfDI, gematik has developed a specification for an app-based approach that meets these requirements. This shows that high security and user-friendliness can go hand in hand.
2. self-sovereign identities (SSI): In the healthcare sector, it is important that the service provider does not have access to personal data. The principle of the provider’s profile prohibition ensures that control over the identity remains with the user.
3. trustworthy execution environment: The operator exclusion specified in the gematik specifications means that a trustworthy execution environment (VAU) with the help of (a) user-specific encryption, (b) the use of hardware security modules (HSM) and (c) edge computing is used both technically and organizationally to prevent the operator of the ID wallet system from viewing user data or evaluating connection data.
4. multiple identity attributes: In the context of eIDAS 2.0, additional attributes from authentic sources are relevant in addition to sovereign PID attributes. The health ID combines attributes from various sources, including the eID, health insurance information, email addresses and telephone numbers. The health ID therefore already shows how sovereign identity data from the ID card can be combined with decentralized identity sources from the healthcare sector.
5. use of the eID online ID card and alternative identification methods: Initial identification can be carried out using the eID function of the ID card. However, it is also possible to use the electronic health card (eGK smart card) for authentication. In addition, local contact points, e.g. in the branches, can be used to store the identity in the ID wallet. The availability of the digital identity can be extended through device binding and the active consent of the user, as this is limited for security reasons to 24 hours or 6 months for most end devices available on the market, depending on the smartphone hardware installed.
6. clearly defined authorization requirements: In the healthcare sector, the requirements and responsibilities for the ID wallet system are clearly defined. Based on gematik’s specifications, which were drawn up in agreement with the BSI and BfDI, trust and security can be achieved among users.
7. Central functions for trust management: The healthcare sector relies on established standards such as Hardware Security Modules (HSM) and OpenID4Federated Identities. A central element is the Federation Master, which monitors the approval of ID wallets and relying parties. This ensures the security and integrity of the system.
8. “IT made in Germany”: The IT infrastructure in the healthcare sector originates from Germany, which guarantees the sovereignty and security of digital identities.
Conclusion
The solution from T-Systems and Verimi offers BARMER’s health insurance policyholders a very convenient user experience with full transparency regarding the use of their identity data and maximum data security. The healthcare sector shows that an ecosystem of secure digital identities is possible. These experiences should serve as a basis for successfully establishing digital identities in Germany. They offer not only theoretical approaches, concepts or laboratory applications, but also proven practices from real-life operations. The real added value for society has been created and is already being proven!
The experiences from the healthcare sector may not represent the sole solution, but they do offer valuable insights into the implementation of digital identities. The practical experience of operators and users as well as user feedback could be incorporated into the discussion on the design of a digital identity ecosystem. Experience from the German healthcare sector could be incorporated into the development of eIDAS 2.0 in order to successfully establish digital identities in Germany. A possible model has been established – including it in the discussion can only provide positive impetus.