User-centric and secure electronic authentication for digital health services: a case study for Brazil

Digital transformation of the health domain is in the spotlight of the digitalization of public services across the globe. In line with Brazil's digital agenda (ICP Brazil), digitalization has been accelerated in Brazil in the recent past. eID or digital ID is a recognized and trusted person identification solution when seeking public services using digital means. ICP Brazil has listed several eID solutions in use at different levels of maturity, security and usability. However, it is also essential that the health sector requires an eID service with comparatively higher security and privacy level than an eID used for other public services, due to the sensitivity of health data and processes. This leads to a question of how adequate the current eID solutions are in health service provisions, specifically for patients. Unfortunately, the current knowledge domain lacks the evidence for a concrete answer to this question, and in such circumstances, a thorough and deep analysis of current eID solutions is in demand. This study results in such an attempt and will systematically analyse the technical viability and the issues/opportunities of the available eID services. The outcome leads to proposing a way forward for a suitable eID solution that can be used for the digital health domain in Brazil. It furthermore leads to showing the need for a cloud-based and federated wallet solution instead of eIDs with individual trust certificates. The next step of this work is to define the concrete requirements for a complete solution of the eID system for the health domain.


INTRODUCTION
Electronic identification (eID) is not a new concept anymore; it enables efficient, secure and trusted authentication for different electronic services.eID services and provisions are standardized specifically in Europe under the eIDAS regulation and Europe's single digital market [2].Current eID systems promote secure (personal) data exchange as required by many public services for the identification of natural or legal persons for efficient and effective service provision [3].According to the contemporary literature and government reports, eIDs have been successfully implemented in many sectors and across borders in Europe and around the world [4][5][6][7].eID tools are ubiquitous, but both governments and public service providers are obliged to regulate the eIDs under their national or EU/international level policies and regulations.This is one of the main tasks of eIDAS regulation [9].The level of trust in each of the eIDs is also regulated and signified under the same regulation.For example, at the EU level, there are three levels of trust defined, such as Low medium and high, where each EU member state should notify the EU commission about their trusted eID systems to enable cross-border use.These levels are determined based on the resilience to identity threats and frauds as well as the ability to identify and verify persons accurately (record matching) [10] The health domain requires an eID system that is comparatively higher in security and privacy due to the sensitivity of the health data.Typically, eID systems have security levels low to high, and digital health services anticipate its highest level [11].Brazil, although a developing country with a comparatively high internal digital divide, is actively participating in the digitalization of the health sector.The Brazilian Ministry of Health launched the national EHR program in 2011, primarily to provide a comprehensive and standardized system for managing patient health records, mainly aiming at the primary care [12].The Health Information Exchange system, including the National Health Data Network (RNDS), is also another initiative launched by the Brazilian government [13].In 2020 Brazilian Ministry of Health initiated the Digital Health Innovation Hub, mainly to facilitate start-ups, researchers, and healthcare providers, and has helped to accelerate the adoption of eHealth technologies in the country.In the recent past, Mobile health (mHealth) solutions have become increasingly popular in Brazil as well [14], particularly for managing chronic diseases such as diabetes and hypertension.One of the latest advancements in digital health is the Digital Health Records Management, based on patient centricity [15].Digital Health records is a system that contains highly sensitive data as well as distributed usage and data providers (i.e., doctors, nurses, labs, and so on), and thereby require distributed data management solutions for allowing different levels of visibility of data [11] [16].However, in such a limelight, the eID systems used in Brazil should be of high trust level in the eIDAS scale.This study hence will analyse Brazil's widely used eID systems and investigate their adequacy for secure and trustworthy verification of the users of health services.Thereby this work intends to identify any gaps in the eID solutions and propose guidelines for mitigating the risks incurred by the gaps in the eID systems.Hence it attempts to answer the following questions: 1) What is the level of adequacy of current eID systems for the Digital Health domain?And 2) How can the technology gaps associated with these state-of-the-art eIDs be reduced?
The rest of the article is organized as follows.The next section will provide an overview of the background of eID systems, both in Europe and Brazil.The section 3 will provide a deeper analysis of selected eID systems popular in Brazil.The next section will summarize the outcomes and finally, concluding remarks and a possible way forward for eID systems in the healthcare domain.

BACKGROUND -ELECTRONIC IDENTITY
Typically, eID refers to a digital identity credential that is issued by a trusted authority, such as a government agency and is used to authenticate the identity of an individual seeking digital transactions.The eID consists of a unique identifier, such as a national identification number of persons, and may also include other attributes such as the individual's name, address, and date of birth [17].eIDs are often used for accessing online services, such as banking, government services, e-commerce and so on [3].Digital eID is the eID in the world of "digital by default" and refers specifically to an eID that is stored and accessed electronically, rather than in physical form.Digital eIDs are often implemented using smart card or mobile device technologies and may include additional security features, such as biometric authentication [5].It should be noted that the terms "eID" and "digital eID" may be used interchangeably, as both refer to a digital form of identity credential.However, there could be a difference between eID and digital eID such that eID refers to a digital identity credential, while digital eID specifically refers to an eID that is stored and accessed electronically.In this article, eID is meant to be Digital eID.eID is oftentimes associated with eID infrastructure, which refers to the technical and organizational systems that support the issuance, management, and verification of eIDs [3].
This infrastructure typically includes hardware and software components, such as smart cards, card readers, and authentication servers, as well as organizational policies and procedures for identity management [5].The need and use of electronic identity for safe and secure authentication for digital services has become essential in the digitalized world.The capacity has been recognized primarily within the context of the European Commission's EIDAS regulation [18].The 2018 EIDAS legislation [9] urges the need to upgrade electronic identification systems to comply with the regulation or create new eID systems that enable trusted use, specifically in the public service not only within organizations locally, but also for sharing information and service provision across public sectors, and/or even across borders (between countries).The high-level requirements stated in the legislation serve as the basis for implementing a safe and secure information exchange, not necessarily within the context of Europe, but outside Europe as well.

EIDAS and European eID systems
As a part of the digital agenda [19] for a unified Europe, the European Commission instrumented infrastructure and working plan for a harmonized and standardized digital service provision under the single digital market initiative [20].Consequently, it emphasized the need for de-fragmenting the digital market as a first step of "secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union" ( Regulation (EU) No 910/2014 -art-7) [10].Member States of the EU have been obliged since 2018 to adhere to eID systems that are recognized by the other member states (notified eIDs [9]).However, as a mandatory part, the eID infrastructure requires a trust management service that helps to verify the entity (person) requesting authentication.

2.1.1
The public key infrastructure (PKI)..The public key infrastructure (PKI) supports the eID systems and creates, stores and distributes digital certificates which is the mode of verification of the entity (person) the public key belongs [5].According to [6] A PKI infrastructure includes " • a certificate authority (CA) that both issues and verifies the digital certificates, • a registration authority that verifies the identity of users requesting information from the CA, • In an e-ID situation where there is no central database for storing the keys, they are internally stored inside the e-ID cards, i.e. in a distributed architecture.By this architecture, each user carries his/her own certificates, and the attacks to a central database are avoided.• certificate management system • certificate policy, which establishes the operational procedures of the certificates and e-ID cards." (pp.334) In this regard, PKI provides the base for a trusted certificate created and maintained by several legal entities for preserving security.Currently, the regulation describes trust levels of low, significant and high on the same international standard, ISO/IEC 29115.The issuer of the certificate and the verifier in principle is from the public service or an authorized service provider appointed by the government or a public organization.The operational procedures for eID within the country should explicitly define/describe these certificate authorities.The service providers for eID systems will follow the processes of management of the trust certificates as well as onboarding the users according to the policy for the certificates.

2.1.2
The eID infrastructure implementation methods.According to the latest information about the country status of the EU regarding the implementation of eID schemas under eIDAS-Node implementation, almost all EU member states have implemented eIDs [21].software, followed by the smart card, electronic certificate, or mobile certificates [21].The World Bank report on technology for digital identification showcases several choices for credentialization, analytics and authentication technologies as shown in Figure 1 [22].The same report further elaborates on the levels of risk (in contrast to the trust level) in the application of each of these technologies, which would be a good resource document in making decisions about which technologies to use in eID development.

eID for the health domain.
As stated above, eIDs with a high level of trust are a necessity for the health domain [16].In addition, the EU recommendation on a European Electronic Health Record exchange format [11] suggests 9 principles to consider in eIDs for the sector, namely, 1) Citizen centric by design, 2) Comprehensiveness and machine readability, 3) Data protection and confidentiality, 4) Consent or other lawful basis, 5) Auditability, 6) Security, 7) Identification and authentication, and, 8) Continuity of service.It further recommends following the HL7 FHIR [23] standards for data models and semantics.This essentially shifts the authority of the health data towards the patient and simultaneously results in consequences such as empowering citizens for digital maturity.

2.1.4
The digital identity wallet.The new and revised eIDAS regulation is all about the European Digital Identity Wallet (EUDI).This revision of the eIDAS Regulation could provide further guarantees to the identified trust challenges.The new question that arises now is, which requirements should be adopted by the Wallet and new trust services to minimize trust issues in the evidence exchange between competent authorities [22].One of the objectives of the EUDI [24] specifically mentions the health domain; "Easy access to health data is crucial in both national and cross-border contexts.EUDI may enable access to patient summary ePrescriptions etc" (pp.11).So, the regulation indirectly urges the importance of considering EUDI solutions for the health sector.

eID systems in Brazil
Brazil's National Infrastructure for Electronic Identification project was started decades ago, and the implementation actions of the legislation, i.e., ICP Brazil, have accelerated in recent years [26].Although the internal digital divide in the country is substantially high, the government has established digital transformation plans for all the states in Brazil [26].Brazil's Public Key Infrastructure Management Committee started in 2008, acts as the main control body for the public policies required for these actions within ICP Brazil [27].As of today, there are many eID systems are listed in the illustration of the new ICP Brazil ecosystem, both from public and private service providers, under different categories, such as trusted service providers, support service providers, and biometrics service providers [28].

EID ASSESSMENT METHODOLOGY
This study was instrumented to systematically capture the technical and technological soundness of the state-of-the-art eID systems used in Brazil.Based on the popularity and relevance we have selected six eID systems that are cited by the ICP-Brazil infrastructure, and the ones that are cited/related to important councils in Brazil, such as the Federal Council of Medicine.Table 1 presents the selected six eID systems, and the criteria of evaluation of these selected eID systems.The criteria are split to functional and nonfunctional key requirements from the EUDI as well as ICP Brazil.

ELECTRONIC IDENTITY LANDSCAPE IN BRAZIL
To grasp the landscape of the eID systems that are significant the abovementioned indicators were used.This investigation will give us details on the functional and non-functional requirements of such systems.In this direction, major Brazilian eID systems: NeoID, SafeID, BirdID, RemoteID, VIDaaS and the CFM certification system are considered for analysis.All these systems are associated with ICP-Brasil and the public key infrastructure [27].The reviewed systems share many features.For example, as cloud-based certification systems, there is no need to store user certificates in electronic mediums, such as tokens.Other systems are more feature-rich; for example, allowing them to revoke certificates granted to third parties.It is important to note that the information gathered about these systems was extracted from text and promotional materials targeting end users.Unfortunately, all the systems are closed source, so more detailed information, including their architecture, is unavailable for public reference.

NeoID
NeoID is a cloud-based digital certification system developed by SERPRO, the biggest government-owned IT corporation in Brazil.
NeoID was the first cloud-based digital certification system authorized by the ICP-Brazil.Features • Use a single certificate on multiple mobile devices; • Two-factor authentication; Onboarding: The onboarding process involves the confirmation of identity by an authorized Registry Agent.The interested party needs to bring the following documents to be checked, thus the confirmation requires physical presence.At least one document is mandatory but RG and CNH are preferable.NeoID does not provide remote onboarding verification.The onboarding process is similar to legal persons.

VIDaaS
This is a cloud-based digital certificate.It does not require the user to store her certificate in a physical device nor in her computer.It is only required to access the system through the Internet.Features • Besides basic authentication, the system allows developers to scan and sign documents.These features are also available for mobile devices; • The system stores the certificate in a dedicated HSM cryptographic device that can be accessed by mobile devices.HSM is a device that protects and manages keys.• VIDaaS is compatible with a number of government platforms, such as e-CAC, meu INSS, among others.• The user is able to create an account using biometric authentication and create a digital certificate using only the app on the mobile device.
• The user can use the system via the browser as well.A QR Code is generated to finish the two-step verification through mobile devices.After that, the app will start to generate tokens.
Onboarding: The VIDaaS system has both remote and in loco onboarding processes.The remote process is allowed only for users who already have biometric data collected by the company or users who have a driver's license (since biometric data is collected as part of the license process).If the remote process is not possible, during the in loco process an VIDaaS' agent verifies the documents and collects the biometric information.

CFM Certificate
This is the official Brazilian Federal Medical Council certificate.It is issued free of charge for medical professionals (thus, unlikely to be widely used) in a cloud-based digital system and issued by the CFM Registry Agent according to CFM 2296/2021 regulation.Features • The certificate can be used to sign prescriptions and sick notes (by using the Brazilian Federal Medical Council's own system [34] contracts and all sorts of electronic documents.• The CFM certificate could be used with the VIDaaS app (described earlier) to sign documents.• Application developers could integrate their products by using Valid APIs.
Onboarding: The CFM system requires an in-loco onboarding process.This process can take place when new physicians join the council.During the onboarding process, not only the identification documents are checked but also biometric information is gathered.

RemoteID
RemoteID is a cloud-based digital certificate developed by CertiSign.It does not require the user to store her certificate on a physical device or her computer.It is only required to access the system through the Internet.Features • The system stores the certificate in a dedicated high-security data centre, which is an ICP-Brasil-compatible device.• The user can issue a certificate through the browser.
• Only the user has the key control.This is achieved by a twostep verification using an app on a mobile device, similar to financial systems' token.
• RemoteID records all the transactions regarding a certificate.
Thus, the user can track what app the certificate was issued, timestamp, expiration date and status of the certificate, besides who issued the certificate (see Figure 2) • There are two strategies to authenticate: PIN and e-Token (remoteIDApp and card).If the user chooses eToken through remoteIDApp, a QRCode is generated to finish the two-step verification.After that, the app will start to generate tokens.• RemoteID is A3 compatible.That is, it works with systems that rely on physical devices as well.
Onboarding: CertiSign is an Authorized Registry Entity and follows the regulations defined by the ICP-Brazil.The company has both remote and in loco onboarding.The documents eligible as identifications are the following: National ID, Driver's license, Passport, as well identity documents with a photo that, by law, are considered identity in Brazil.There are several such documents available e.g., OAB, CRC, CRM etc.In both strategies, the whole process is conducted and monitored by CertiSign staff.

SafeID
SafeID is a cloud-based digital ID provider.SafeID provides A3 e-CPF and e-CNPJ certificates.Features • Use a single certificate on multiple mobile devices.
• Keep track of the usage history.It is possible to verify all accesses made with the certificate.

• SafeID on desktop is compatible only with Windows 7 (or newer).
Onboarding: Similar to other cloud-based digital ID providers, the SafeID onboarding process could be carried in loco or remotely (through a conf call).A3 certificate could be granted by any of the two onboarding processes.Driver's license is not mandatory (differently from other ID providers).

BirdID
BirdID is a cloud-based digital certification system developed by a private entity Soluti [35].As with any cloud-based certification system, BirdID users do not have to store their certificates in electronic devices, such as tokens.Soluti also provides A1 and A3 digital certificates.
Features: As with any digital certificate, BirdID allows one to sign documents.In addition to that, Soluti has partners that provide e-health systems.These systems are integrated with BirdID cloudbased certification.
Onboarding: The onboarding process could be carried out via video conference for owners of CNH (Brazilian driver's license) emitted after 2016.Before the video conference, the user must upload digitized copies of personal IDs.During the video conference, the staff from Soluti will verify the documents.

ANALYSIS AND DISCUSSION
Our review shed light on the specificity of eIDs in the Brazilian market.According to our observations, the reviewed solutions are closed source and provide a broad and diverse range of functional and non-functional features.Based on the outcome, NeoID, VIDaaS and CFM Certification are solutions that can be considered for further investigation due to the following reasons.
• They are widely used, and they are all developed by trustful corporations, for example, NeoID is developed by SERPROthe largest government-owned corporation of IT services in Brazil.
• They provide detailed technical documentation that can be used to inspire the development of similar services.

• VIDaaS has been integrated with eHealth systems through
an open API, which can bring useful information on how to interact with external systems in this ecosystem.
In this context, we raised some important concerns that must be the subject of further discussion.In this section, we aim to present them along with possible strategies to address them.

Onboarding
The eID systems studied in this work had several options for the onboarding process, as described below.
Mandatory documentation.Most of the systems accept more than one document to identify the user during the onboarding process.The driver's license (CNH) is one of the preliminary documents most eID systems consider.It speeds up the process because Brazil's national transit department requires drivers to go to an official state location to make sure they are who they claim to be; and these data are then already verified.But we might want to consider the fact that many target users might not have CNH.So, one alternative here is to use CPF along with a second of identification to increase security.The CPF document is similar to a typical social security number and is the document that uniquely identifies Brazilian citizens.
Biometric collection.It is a common practice to collect biometric data from the users.This is a key concern to enhance security.In this scenario, NeoID has an advantage.It uses the legacy database that SERPRO built in previous projects with the Brazilian government.One important question here is to define the devices and protocols to collect the biometric data.
Token devices.It is also, especially for older systems, common to use external devices to provide tokens for authentication.Even though it is a state-of-the-practice strategy, it should probably be better to consider a cloud-based certificate combined with a two-factor authentication (a mobile phone, for example).
Remote onboarding.A remote onboarding process may be necessary for some contexts, which lets the providers be able to attend to a broader range of users, such as those who live or work far from the main cities.However, this decision probably imposes having ways to check user data with other trustworthy systems or authority, for example, the Transit Department of Brazil.

Safe Storage
Storage of data is one of the key prospective of eID systems and the eIDs investigated use several types of solutions for this purpose.Some companies use their own infrastructure to store the credentials of the users.This is the case for NeoID, for example.According to its documentation, SERPRO holds the certificate in a dedicated high-security data centre, which is an ICP-Brazil-compatible device.This is also the case of VIDaaS, which stores the certificate in a dedicated HSM cryptographic device that can be accessed by mobile devices.HSM is a device that protects and manages keys.One possible alternative is to use a cloud-based service, such as AWS CloudHSM that provides such a service.

Certificate Level
In the explored eID systems, there are two different levels of certificates: A1 and A3.The main difference is that A1-level certificates are machine-dependent and enable users to make replicas of them.This is a major concern while dealing with certificates because the owner might lose control of how many people have access to its data.Also, it is not a rare scenario in which users reconfigure their machines causing certificate losses.On the other hand, A3 certificates are installed/stored in cryptographic devices: cards, USB stick tokens or HSM devices.Users cannot copy or export such certificates, which increases security.Also, they provide mobility once they can be used in different machines/devices.

Oauth2 industry-standard protocol for authorization
OAuth2 is widely used as a standard protocol for authorization, and, for this reason, it is a trustworthy solution.Furthermore, complete, and detailed documentation about its core functionality is available, allowing it to be replicated easily.Secondly, it can be applied to a variety of devices and applications and allows flexibility in architecture choices when the systems are designed and built on top.

Features and Scope of an eID
The eIDs we analysed have common features but diverge in some of their capabilities.The requirements and the provisions are as follows.
Authentication.eIDs must provide secure authentication.It is also strongly recommended for an open API to safely interact with external services and systems.This API can be inspired by, for example, NeoID API [36].
Document Signing.One of the main tasks related to digital certificates is signing documents.Usually, companies develop external applications that interact with the eID system to authenticate and sign documents.It is also not rare that an eID system also provides the ability to sign documents without external systems.This is an architectural decision that must be addressed.
Signature verification/validation.Every eID system is expected to provide valid signatures.In this context, it is mandatory that a verification system or module must be developed/used to perform this task.An important decision here is to develop a module or use the service/application provided by ICP-Brazil.
ICP-compliance.A deep understanding of the regulations and procedures of ICP is a must to be able to provide eIDs in the ICP-Brazil ecosystem.The regulation that establishes the requirements is detailed and complex.The regulation defines, for example, the algorithms (and their parameters) used to create digital signatures, the format of the digital signatures and procedures to verify and validate the digital signatures.Hence, it is important to have a clear understanding of these conditions.However, the initial concerns are: • Use BASE64 to code and decode data.
• Take into account the CMS Advanced Electronic Signatures (CAdES) [37] to establish the structure of content based on ASN1[38].• The signature must follow one of the formats below: short-term signature (AD-CP).
signature with validation references (AD-R).
signature with complete information (AD-C).
signature with information to archive (AD-A); or a combination of the above formats • The minimal requirements for a signature are.
-Based on CadES -IdcontentType, Id messageDigest, id aa signingCertificate ou id aa signingCertificateV2, id aa ets sigPolicyId -Based on XadES -DataObjectFormat, SigningCertificate, SignaturePolicyIdentifier There are also general requirements that should be addressed regarding the content of the signature: • It must refer to the signed document.
• It must ensure that the document was not modified.
• It must refer to the owner of the certificate.
• It must refer to the content of the certificate that the signature is based on.
Regarding the document, the regulation establishes that it must be static.That is, its content must not contain references or internal resources that might change the visualization of the document over time.
Regarding the algorithms and their parameters for private key and signature generation, the prototype must use one of the ICP-Brazil-approved algorithms [27].

eID Wallet solution (EUID)
As mentioned in the preceding section, eID wallet (EUDI) solutions are the most secure and trustworthy solutions.In addition, EUDI allows harbouring different digital trust certificates from different service providers in a single space (wallet).In contrast to the other domains, the health sector may have to deal with different types of certificates such as medical certificates of doctors allowing to perform certain types of medical procedures.For example, a medical doctor may have few certificates that authorise to follow different types of surgical protocols.Having all these certificates in one wallet supports not only user-centricity but also simplicity and ease of use.However, none of the examined eIDs are wallet solutions.This can be partly understood by the fact that EUID is still growing and, hence not popular enough to reach outside Europe yet.Since EUDI is a new technology, the level of maturity of the technology is also yet to be achieved.
However, for meeting the conditions of an eID suitable for the health domain, the level of security and the privacy EUDI provides is realised to be a must as described above, and therefore, not following the wallet solution alone can be pointed out as a cause to rethink and redesign eID solutions for the health sector.

CONCLUDING REMARKS
This paper aimed at exploring the landscape of eID solutions in Brazil, to investigate the adequacy of those solutions to be used to authenticate the digitalized health services.Our analysis of the state-of-the-art eID systems used in Brazil revealed that NeoID, VIDaaS and CFM Certification are tools that could potentially be investigated further for a prospective solution.The key intakes from the study were that the requirements for a secure eID as recommended in ICP Brazil and the EIDAS regulation are not entirely covered in any of the existing eID systems.One critical drawback identified is that these are not EUID solutions.Based on the outcome of the study we can propose a cloud-based EUID solution that has Oauth2 protocol-based authentication.Other requirements for a secure eID solution for the digital health domain provided above are also essential.As a future work, a concrete requirement set can be drawn by a deeper analysis of the high-level requirements drawn in this study.

Figure 1 :
Figure 1: Identification and authentication technologies

Figure 2 :
Figure 2: The transaction logs page of RemoteID • Keep track of the complete usage history.It is possible to verify all accesses made with the certificate; • Allow the same security level of A3 certificates; • Certificates are safely stored in SERPRO datacenter using cryptographic hardware; • NeoID implements the OAuth2 authorization protocol.As part of the protocol, the NeoID allow to: • client applications to be authorized by the certificate owner; • client applications to receive access tokens to avoid storing users' credentials.Tokens are provided with a limited scope (to avoid granting access to all resources) and duration.• Based on the tokens granted by authorized users, NeoID allows applications to sign documents on behalf of the users; • Certificate Discovery: applications are able to discover the certificate associated with a given user; • User Discovery: applications are able to discover certificates for a given CPF or CNPJ; • It allows revoking previously granted authorizations.