Download our factsheet "epSOS - Technical Aspects"! To access other epSOS documents and print materials, please visit the Download Area.

Identification and Authentication

In general, “Identity Management” (according to ISO/IEC CD 24760) relates to the issuance, administration, and use of identities of entities, known in a particular domain of applicability.

“Identity Management” is a crucial element of networked systems, in which users and their functions must be identified and secured. This applies particularly to the epSOS LSP, in which a patient and  a health professional (health professional) build up a trust-based relationship. It is crucial to assure that medical care is properly executed using trustworthy information by relying on personal and corresponding health data. Identification is a vital element of the epSOS LSP.

Verification of the identity of persons is one of the basic requirements for access to person related health data on a regional, national and multinational level in the European context. Similar to other requirements (e.g. data protection legislation, security, trust, reimbursement), person identification has an exponential complexity on a bi- or multilateral level. In a cross-border setting, proper person identification has to be verified both on a national and a multinational level, before accessing any individual health data.
Identification and authentication are essential to verify the identity of patients and health professionals as well as documents and other criteria involved in the healthcare process. Identification clarifies if the provided information is sufficient to determine recognition of the entity’s identity, but does not address its validity.

In the epSOS LSP, the identity of a patient must be proven (validated) in her/his country of affiliation, even if this process is initiated abroad. This process is similar to the one described in the STORK project.
health professional identification must be carried out in the country of her/his registration, usually  with the  help of the health professional-Registry/Repository (Database). A similar process will be established by the HPRO project.

Authentication describes the process of establishing an acceptable level of assurance that a claimed identity is genuine.

Authorisation is an integral part of access control. In general, authorisation involves the process of approving or disapproving that an identified entity (person, system or process) may be granted access to specified resources. In the epSOS LSP environment, authorisation provides information for  access control mechanisms, controlling the entity’s access to patient health data or other sensitive data. Access to patients’ data in the epSOS LSP is governed by the epSOS LSP Access Control Policy, based on the need-to-know principle. Active entities (actors) of the epSOS LSP are categorised with respect to their tasks and positions in the epSOS LSP environment; standardized sets of privileges are assigned to each category (role).

The epSOS LSP will use parts of a Policy-Based Access Control (PBAC) mechanism for decisions that are not only based on roles, but also on attributes (e.g. “Purpose of use”, “Locality”) as well as other modified restrictions following from patient consent.