Stream: finnish PHR
Topic: Identifying the Patient
Mikael Rinnetmäki (Sep 24 2018 at 09:57):
To continue discussion from topic https://chat.fhir.org/#narrow/stream/50-finnish-PHR/subject/Available.20scopes/near/188781, how can the identity of the Patient be verified by the client app?
The PHR authorization guide (https://www.kanta.fi/documents/20143/91486/PHR+authorization.pdf/9fdb48d0-a6c8-0bc6-10ab-35495ca030b4) states in chapter 5: user Required for confidential clients that use strong authentication. Value of this parameter is application user’s social security number.
How is this supposed to work? Is it supposed that if the client has already performed strong authentication itself, there's no need to do it again during authorization process, rather the ID provided by the client app is trusted to be valid? Or is it a mechanism where the client has not strongly authenticated the user, but has asked the user to enter it, and expects it to be verified during strong authentication of the authorization process?
Mikael Rinnetmäki (Sep 24 2018 at 10:01):
There is a concern among application vendors over how they can identify the Kanta PHR user. If there's no way to check the identity of the person associated with a Kanta PHR account, apart from the uuid pseudonym, there is an immediate risk that one person's data is written to another person's Kanta PHR account. If the client apps could somehow identify the Kanta PHR account, they could mitigate this risk.
Pirjo Vuorikallas (Oct 02 2018 at 08:38):
Hi, for security-reason Kanta PHR can give only user pseudonym to client software. The client software must itself take care of user identification. If there is strong authentication (for example suomi.fi) in client software, it is possible to use SSO. We will specify authentication flow and user identification in the next version of authorization guide (will be published as soon as possible).
We are concerning giving user's name to client software. This needs discussions with Population Register Centre (VRK). This would affect to Kanta PHR authentication flow and may need consent from user.
We can discuss this topic at next Tuesdays meeting if there is time (http://www.hl7.fi/sig-toiminta/personal-health-sig/omatietovarannon-tukiprojekti/).
Mikael Rinnetmäki (Oct 03 2018 at 03:29):
Excellent, thanks!
Mikael Rinnetmäki (Mar 13 2019 at 13:45):
As mentioned in today's call, I don't see the need to match the social security number with the pseudonym in the case where a strong authentication has already been performed. In this case, it would be much more important to guarantee the single sign on (consider the case where the app is not offered by a public sector participant and is using Vetuma, for instance). Then the application can already have a guarantee on the connection between the SSN (that it obtains) and the pseudonym.
Mikael Rinnetmäki (Mar 13 2019 at 13:46):
The requirement to somehow identify the person the pseudonym is tied to, at least on some level, is still valid for apps not using strong authentication. The name would not be a perfect solution, but it would help.
Mikael Rinnetmäki (Mar 13 2019 at 13:49):
There is another use case for the name as well. In use cases where the registration process involves connection to Kanta PHR, or is initiated with that connection, getting the name from the platform would help streamline the signup - the app would not then need to ask for the name separately. Or if it still asks for the name, it could prepopulate the form fields.
Mikael Rinnetmäki (Mar 13 2019 at 13:50):
Finally, this would also apply in cases where the app itself does not store the name information, but still wants to greet the citizen.
Anna Korpela (Mar 14 2019 at 11:29):
Thanks @Mikael Rinnetmäki for your input, we'll get back to this after we've thought this over on our side!
Anna Korpela (Mar 14 2019 at 11:30):
If there's anyone else having needs or ideas related to this, please voice your thoughts here
Juha Leppänen (Mar 18 2019 at 13:40):
In our application Kasvuseula (kasvuseula.fi) the parent manages measurements of one to many of his/her children. Considering that the under aged children's Omakanta is managed by the parent(s) it would be helpful to check that the given name of the child is the same in Kasvuseula and Omakanta, when connection to Omakanta is made. Though checking is only informal, not preventing the connection, but it is good customer service.
Anna Korpela (Mar 22 2019 at 12:42):
Thanks for your input! We'll definitely take this into consideration when we start designing the solution for acting on someone's behalf in Kanta PHR.
Last updated: Apr 12 2022 at 19:14 UTC
