Wednesday

Room 4

17:40 - 18:40 (UTC+01)

Talk (60 min)

HelseID - Introducing Modern Web Security in a Geriatric Health Sector

Since 2015 we have been working to establish a national trust service in the Norwegian health sector. The service - HelseID - is now protecting a large portion of the national health care APIs in Norway, and it is an essential part of the national data-sharing strategy for the Norwegian directorate of eHealth.

Software Design
Methodology/Process
Security
Web

Seen from a technical perspective HelseID is an OAuth2 and OpenID Connect implementation. Both of these protocols were designed (and are continually adjusted) with modern web applications and modern infrastructure in mind. As health care by nature is a very conservative industry, legacy (non web-native) software is more the norm than not. Thus, introducing a service like HelseID has been and is a challenge.

In this talk we will look at HelseID, what it is and what we have done to make sure it covers the particular needs of the Norwegian health sector. Furthermore we will dig into some of the unique challenges we must handle in a high risk sector like health care. Finally we will look at some real-life examples of how we support legacy systems while also supporting modern applications.

Rune Andreas Grimstad

Writes software for fun and food and have done so since childhood. Very interested in security and healthcare. Have spent the last several years digging into the OAuth2 and OpenID Connect protocols for web security.

Dag Helge Østerhagen

Dag spent large parts of his youth in front of a Commodore 64 and various Amigas. Since the late 90s he has had the privilege to focus on the art and craft of professional software development. For the last 5 years the focus has been software security, in particular the challenge of determining exactly who the man behind the machine is.