Conceptual Design and Analysis of a Mobile Digital Identity for eHealth Applications

As mobile technology continues to improve, more and more professional services are being offered as mobile apps. This paradigm shift also affects eHealth applications. Digital identities in nation-wide eHealth infrastructures are often realized via smart cards, which however, do not support mobile applications well. In this paper we propose a concept of a mobile eID for eHealth based on smartphones with embedded secure hardware, an mobile authenticator app and an account manager as well as an Identity Provider (IdP) as backend services. The practical applicability of the concept is shown using the example of the German eHealth infrastructure. Our method generates a cryptographic key pair in secure hardware on the user's smartphone, registers it on the IdP and uses it to authenticate on the IdP. The security of the private key and the integrity of the smartphone is also validated and attestated. The user's established smartcard-based identity "Electronic Health Card" (EHC) forms the trust anchor. To authenticate against specialist eHealth apps the IdP issues standard-compliant OAuth2.0/OIDC tokens with a limited period of validity. Furthermore, in our security analysis we demonstrate that based on specific security requirements for smartphones and operating systems, at least the eIDAS security level "substantial" related to the technical security aspects of the system can be achieved. On the basis of this research German legislation was adjusted and "digital identities" supplementary to the smartcard-based EHC will be issued from 2023 in the German eHealth infrastructure.