NFC connection with healthcare smart cards

NFC authentication makes for a more fluent user experience in healthcare information systems, especially for mobile users, because no card reader is required. In my blog text, I discuss my thesis, the purpose of which was to implement support for the use of NFC cards in the Atostek ERA patient information system in accordance with the auditing requirements.

Authentication in Finnish patient information systems has, since the early days of healthcare digitalization, been based on various chip cards containing electronic certificates. Up until now healthcare smart cards have only been available with a physical interface. Use of smart cards and authentication into information systems has always required a separate smart card reader.

In desktop use, a separate card reader does not cause any problems or make the authentication process cumbersome. The situation is quite different in mobile use: any extra device the user has to carry around weakens the user experience.

Wireless NFC connection – no need for a separate reader

Smartphones became more and more popular among consumers in the 2010s. This also put some pressure of healthcare information systems to provide practical user interfaces for mobile use. The Digital and Population Data Services Agency, which is in charge of smart card development and maintenance, recognized this need and carried out a smart card reform in 2020. The new cards not only have a physical interface but also a wireless one.

The connection to a wireless user interface is effected by means of near-field communication (NFC). All modern smartphones have an inbuilt NFC antenna that enables the use of smart cards without a separate card reader.

However, the wireless connection introduced a new problem. If the connection between the smart card and the phone cannot be encrypted, a third party may intercept the communication and easily steal the smart card password during log-in. To solve the problem, the wireless interface of smart cards implements a PACE protocol to protect the connection.

PACE is a key-exchange protocol developed by the German BSI information security organization. PACE functions in a similar way to the WPA algorithms used for securing WiFi connections. Both algorithms make use of a predefined secret element that is required to establish the connection. With WiFi, this secret is a password consisting of 8–63 characters, while in PACE it is a PIN stored on the card.

NFC support makes authentication easier

The purpose of my thesis was to implement support for the use of NFC cards in Atostek ERA patient information system in accordance with the auditing requirements. To do this, the ERA SmartCard application had to have a PACE protocol that was based on the specifications of the Digital and Population Data Services Agency and BSI.

In addition to the PACE protocol, the ERA SmartCard had to have a mechanism to recognize if the card goes outside the NFC field, in order to fulfill the audit requirements for authentication. When using ERA, the card must remain in the reader throughout the session, and no exception could be made with NFC. As a result of my thesis, NFC support was implemented in the ERA system for Windows, Linux, OSX and Android operating systems in late 2020.

NFC support was not completed for the iOS platform while I worked on my thesis owing to auditing requirements. However, after I had completed my thesis, discussions were held with the authorities, with the result that the auditing requirements were made less strict, so NFC support will be available for the iOS platform in spring 2022.

With NFC support, authentication into ERA and systems utilizing it were made easier in mobile use. For example, electronic prescriptions and signatures are possible in the Atostek ERA service regardless of the location, by just using a smartphone.