IDAPS (Identification-Authentication-Privacy-Security)

Based on the scale and severity of cyber attacks and patient’s data breaches that have occurred in the health care community for the past two years, one thing is very obvious – the health care community has a very low maturity when it comes to protecting medical and patient’s data.

METTCARE IDAPS unique design is based on the redesign of the front-end application logic. Internal architecture is based on a modular design, making it extremely hard to reverse generate system behaviour even for the corporate System Administrators and Database Administrators. Social Engineering Attacks, Man in the Middle attacks, and SQL Injections are impossible as there exists no front-end application code.

Unlike most other systems, METTCARE is performing both user and process authentication. No activity can start and proceed if all required authentication arguments are not verified against the IDAPS repository. Where METTCARE is integrated with an existing core system, IDAPS will send the result score back to the calling process that can react accordingly. Irrespective of what the external process will do, METTCARE EDS will always keep all the meta-data associated with the particular transaction, in order to enable both audit review and full event reconstruction. An authorized user would have the ability to review all the data access and manipulation activities by any user, with the ability to see the exact data as has been seen by that particular user in a given event.

The following principles define the core of the METTCARE IDAPS authentication architecture:
1. Identification – recognizing the other party in a transaction. You associate some unique information with the other party, that only that particular party can reproduce (web user id, password, PIN). Identification implies uniqueness for a given party (SIN, OHIP number, ONE ID as well as any unique biometrics identifier: DNA code, fingerprints, iris scan, etc.)
2. Authentication – proving and verifying specific information. That would imply using specific attributes for challenge and/or prompt words (mother’s maiden name, place, pet name etc.). In the case of the electronic document, it can mean applying digital signature.
NOTE: Authentication does not necessarily uniquely identify the specific party, but acknowledges the right to do something (i.e. users sharing the same password can access the same shared services; this is the case in bigger corporate IT departments where more than one person has Administrator rights to log on the system, do backups etc.).
3. Authorization – defining what a certain party can do. It can vary from situation to situation such as in Accounting Department (who can see and change payroll, gross-profit analysis report, etc.), creating and approving Customer profile (operator enters data, administrator checks and verifies it, and supervisor activates the new Customer Account).
4. Integrity – all data must stay unchanged during and after the specific transaction. Whatever is the subject of specific transaction and storage, data can never change, and must always present the image of the original transaction.
5. Confidentiality – privacy must be guaranteed and data must stay secret to everyone outside the transaction process. In today’s world, it means protection of privacy, not only from the external threat (Internet fraud), but also from the internal theft by the System Administrator, DBA or corporation itself (selling medical and patient’s data without consent). METTCARE does not store clients’ actual data, just the session information.
6. Non-repudiation – inability to deny doing something. METTCARE’s solution is based on unique combination of IDAPS algorithms and EDS storage creating a fully trusted source of data.

METTCARE IDAPS design is based on the redesign of the front-end application logic. Internal architecture is based on a modular design, making it extremely hard to reverse generate system behaviour even for the corporate System Administrators and Database Administrators. Social Engineering Attacks, Man in the Middle attacks, and SQL Injections are impossible as there exists very limited front-end application code.

METTCARE is performing both user and process authentication. No activity can start and proceed if all required authentication arguments are not verified against the IDAPS repository. Where METTCARE is integrated with an existing core system, IDAPS will send the result score back to the calling process that can react accordingly. Irrespective of what the external process will do, METTCARE’s Enterprise Data Store (EDS) keeps all the meta-data associated with a particular transaction, in order to enable both audit review and full event reconstruction. An authorized user would have the ability to review all data access and manipulation activities by any user, with the ability to see the exact data as has been seen by that particular user in a given event (event reconstruction).

The recent progress in quantum computing is also posing some serious questions regarding encryption and the entrenched believe that it is a panacea for cybersecurity. The enormously increased processing power of quantum computers will change Public Key Infrastructure (PKI) as we know it today. Rather then relying solely on encryption, METTCARE security is based on its own data and portal architecture to achieve system and data security.

In recent years, biometrics have become a popular method of identifying persons. Fingerprint scans are being used on some mobile devices and secure laptops in place of passwords and PINs. But relying on biometrics as a fool-proof way of identification has its serious pitfalls. What happens when your personal biometric data gets stolen – can you grow a new finger and a new eye? METTCARE rather relies on different methods of identification that are modifiable and replaceable in case of a device loss or theft.

METTCARE IDAPS mobile device identification process is a set of proprietary algorithms that identify the mobile device and its user in order to prevent hacking attempt through a virtual copy. Mobile devices could be recreated in a virtual image making them a perfect tool for hacking. METTCARE solution prevents unauthorized access to services through the mobile device as it checks and verifies each device and user at every level.

When METTCARE IDAPS is linked to the third party application through the back-end data exchange, a full event audit and reconstruction is guaranteed in a real-time or a batch-mode.