In plain language, why imposing mere multi-factor authentication will not make communication in healthcare any more secure
One of those guidelines is that transferring health data should be done in a secure and safe way and will require precautionary measures. The Belgian General Medical Council stipulates that health data can only be transferred via digital means insofar those means are equipped with multi-factor authentication. The physician should not send health data through insecure email, not even when the patient would ask for this.
When we compare this specific guideline to the one elaborated by the British General Medical Council (GMC), we see that the latter puts much more emphasis on putting the patient in the centre. “Wherever possible, you should communicate with patients in a format that suits them. For example, electronic communications – such as email or text messaging – can be convenient and can support effective communication between doctors and patients, with appropriate safeguards.”
The approach suggested by the Belgian General Medical Council is not only not very patient-oriented but it is also technically flawed.
What is insecure email?
What exactly should be understood by “insecure email” is anything but clear. The Belgian General Medical Council does not elaborate on this aspect.
Does this mean that the access to the mail box of the sender and/or receiver of the digital communication should be secure? Does it mean that the message itself should be end-to-end encrypted? The latter means that, when the message would be intercepted, the message cannot be read without a key to decipher the code. And how well should the message be encrypted?
The Belgian GMC seems to require certain authentication measures only.
What is authentication?
In plain language, it means that you can rightfully assume that the person who is accessing a system is who he/she claims to be. In the case of email, proper authentication ensures that only the rightful owner is accessing a mailbox. Hence you can be assured that only the intended receiver is reading that email.
The most simple form of authentication is a username and password. If not wisely chosen, for instance something very obvious like your name, it takes no effort for a hacker to guess it and get access to your mailbox. Adding a 1 and exclamation mark to your name doesn’t make your password stronger. So password authentication relies on some basic rules to choose an appropriate password. Using signs other than alphanumeric signs are an added value, but in the context of a password it is definitely true that: size does matter.
On the other hand, creating too difficult passwords, for example dVCXllFgR0eUB8M7AmOnqw, does not make sense either as it is extremely hard to remember. Of course, you could use password managers like Keepass, but this requires a lot of self-discipline. Writing the password down on a post-it and stick it to the computer screen or the back of the keyboard obviously isn’t any better. Yet, it still happens all too often.
In other words, in case of authentication by the mere combination of username and password, the security of the system heavily depends on the individual.
No matter how strong your password, someone could just get lucky and guess your ‘difficult’ password, because it is just something you have to know. To get a higher level of security one can switch to multi-factor authentication. Multi-factor authentication relies on at least two of three factors, which can be divided into three categories:
- Know. E.g., you have a password or pin code which only you (should) know.
- Have. E.g., you have a token which you receive.
- Are. E.g., you have a fingerprint (or other biometric data) which gives you access to a device or application.
Multi-factor authentication combines factors from distinguished categories. A good example is online banking. You will have to input your client key and/or password (know), after which you will have to scan a QR code with a smartphone app on your device (have).
How should you apply multi-factor authentication concretely?
Again, this is not discussed by the Belgian General Medical Council.
First question is: how often should you authenticate yourself? For access to health data we would recommend at least the same security level as for an online banking environment. This means that the session which a user, e.g. physician or patient, is logged into, will expire after a certain time of inactivity. For the patient, this may well work. To what extent this is adequate for the physician as well, is yet to be determined. For the physician, it may be experienced as something very annoying when you’d have to log in a zillion times a day.
A second question is: in what digital context do you apply multi-factor authentication? You can apply two-factor authentication to your Hotmail, Outlook, Gmail account. But does adding two-factor authentication in this environment make your communication any more secure? Just a little. It will keep people from accessing your mail box. And that’s about it.
On the other hand, anyone on this planet can create the Gmail account email@example.com, or perhaps that one’s taken and then one can just take firstname.lastname@example.org. Just to say that sending an email from one of these email accounts, doesn’t mean that the sender actually is Stephen Fry. Yet, the one accessing the mailbox relating to the email account, applies multi-factor authentication. Accordingly, in itself multi-factor authentication does not make the communication one bit more secure.
Authentication-wise you may be safe. But have you verified whether the door is closed?
Authentication is not even half of the story
For this section, let’s assume now that the condition of authentication is fully met. We don’t have to worry about this.
Imagine you are talking with a patient in your practice. The patient knows you are his/her physician, and you know that he/she is your patient. Authentication-wise we’re safe.
But is your communication secure?
Possibly. Possibly not.
Have you established that the door is closed? Are you absolutely sure that the walls and door keep from other patients in the waiting room overhearing the communication? Perhaps you secured all that, but it’s a hot day, and you opened up a window. And so on.
It’s the exact same thing with digital communication. Authentication in itself is just not sufficient. You’d have to be very sure that the room is concealed. And if there would be a crack in it, you’d have to make sure that the person overhearing your communication does not understand a word of it.
Making sure you’re communicating in a hermetically concealed digital room is done by SSL/TLS certificates. How do you know this? From the https in the URL of the website and from the closed or green lock icon in your browser (see figure). SSL and TLS certificates secure the communication on a website, meaning no one besides you can get access to it.
Concrete and easy measures to make your digital communication more secure
All too often physicians and other healthcare providers use a Hotmail, Outlook or Gmail account. Stop doing that. Get your own domain name, create security certificates and your communication even by email will already be a lot more secure.
Let’s say you’re sending a letter to a patient. What would you do to assure your patient that it is actually you who is sending the letter? Right, you would sign the letter. It’s the same with email. You can sign email digitally by using certificates.
When using instant messaging apps, make sure that they are end-to-end encrypted. Even when the message is intercepted, only the sender and the intended receiver can read and understand the message. An example of an end-to-end encrypted messaging apps is Whatsapp (www.whatsapp.com).
 https://www.ordomedic.be/nl/adviezen/advies/leidraad-voor-de-artsen-inzake-de-algemene-verordening-gegevensbescherming, available in Dutch and French.
 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Pb. L. 119, 1.
 https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality, see paragraph 132.
 SSL stands for Secure Sockets Layer.
 TLS stands for Transport Layer Security.