Healthcare IT

Here are the use cases we gathered from our interviews.

Use case : patient entry (hospital or clinic IT)

Within that panel, hospital practitioners provided important inputs on the mandatory requirements. They don't really care about cybersecurity in itself, but what they declared they absolutely need is a way to work with patients is:

• a basic IT system : the minimum requirement is the ability to a) check if the patient already has a file inside the healthcare organization and b) follow-up entrance. A post processing to consolidate patient files can be done later. If a full patient record system is provided, it needs to provide high integrity data.

• Biomedical equipments used by medical teams are critical.

Note: in emergency situations, it may be impossible to get a confirmed identity. A new file can then be opened, possibly requiring a merge of identities at a later stage in case the same patient is registered several times. This use case is already manageable using available technologies (ex: doctolib in France), but we still include it here due to its specificity to the healthcare sector.

Use case : delegation within healthcare teams (hospital or clinic IT)

1. A credentialed doctor (Dr. Bob) uses a secure wallet (capable of a non-repudiable signature) to make a request (relying party credentials, scope of resource server access, purpose of access) to patient Alice's authorization server;

2. The AS responds with a scoped capability and holds Bob accountable for its invocation;

3. Dr. Bob passes that capability to his employer institution or to another healthcare partner. Dr. Bob may attenuate the capability before or after it is passed to the system;

4. Another physician in the team, Dr. Carol, signs-in to the employer system and clicks on the capability associated with Alice;

5. The client (e.g. a mobile application) used by the healthcare team (Dr. Bob or Dr. Carol) presents the capability to the protected information and gains scoped accesses to the resource. Organizational policies would likely require an audit trail that includes the doctors’ credentials and/or the root of trust of a software statement presented by the client to ensure its authenticity.

This use case can't be managed using OAuth2 and JWT, which don't allow further delegation.

Protecting medical data records can be done using a variety of technologies. We interviewed German's startup chino.io on their solutions to comply with GDPR and HIPAA.

Use case : medical value chain (beyond the hospital)

Care doesn't stop at the hospital. For instance, ambulatory care can benefit from a follow-up:

SMS follow-up on pain after a surgery (source: Calmedica)

Another need is confidential computing between distinct entities. The most basic requirement is to check whether a medical record exists, without loss of confidentiality. A more advanced requirement is the ability to compute insights without revealing patient data to the other party.

Use case : healthcare practitioners (beyond the hospital)

Innovations are gradually introduced, for instance by providing a mobile application to prove identities of health professionals.

An experimentation is currently made in France with GIE SESAM vitale. Beyond identity, it may provide also simpler ways to get payments:

• read patient information (vitale card or mobile app, DMP medical record)

• create an electronic care sheet including all the procedures performed

• upload the electronic care sheet (FSE in French)

• record the patient's payment and the payment method

• integrate with social security's IT systems (NOEMIE), to enable reimbursements - this may be optional for liberal surgeons

Such a system can be of interest of e-health companies (we interviewed https://www.follow.fr for instance). This use case can't be managed without a dedicated hardware, and legacy solutions are mostly locally installed on the professional's computer (ex pyx), which makes integration into other software solutions really complex. A noticeable exception is stellair.