Regulations for identification and Abilis platform access authentification for users
1. Aim of Regulations
The present Regulations contain the terms and conditions of use of secured usernames allowing health professionals and their auxiliaries to access the Abilis health platform operated by Ofac cooperative society and the Abilis Reference community (CR Abilis) operated by the National and interprofessional Abilis reference community for medication SA (Abilis SA) via the identity provider trustID application by Elca informatique SA. The secure username is held to the Service Level Agreement of the identity provider trustID Elca Informatique SA and Ofac offers no guarantee.
The regulation provided by the Federal Act on the Electronic Patient Record and its ordinances, acting and future, apply for the remainder, particularly those provided in annex 8 of the FDHA ordinance dated 22 March 2017 and all other replacement provisions.
2. User awareness of security
2.1. General Information
All users must understand their responsibility in terms of information security and must be aware of the threats to information security.
Users will ensure they keep identification and authentication data confidential, so that they are not disclosed to third parties and will avoid recording them on paper, in unprotected files or on portable terminals, unless they are stored using an approved method.
Users will use sophisticated passwords to reduce the risk of malicious access to their computer, email, social media, bank accounts as well as trustID. The password must contain at lest 8 characters;
Users will choose a mix of letter, upper case and lower case, numbers and special characters (at least one of each);
Users will not choose their username as a password;
Users will not use the same password twice;
Users will choose an impersonal password (with no relation to personal information, for example: names, pets, date of birth);
Users will avoid famous names as well as words from the dictionary;
Users will not share their password;
Users will only enter their password on safe devices.
Users will not reuse a password they have already used for another Internet service.
2.3. Password requests
Ofac and health professionals will never ask for or send information by email or telephone regarding user passwords.
Users will not give their security details to third parties.
If users receive suspicious emails or telephone calls asking for their password, either by email, fax, telephone etc., they should immediately inform customer support.
When users access the Abilis web portal via Internet, they will ensure they logout at the end of their visit.
In order to ensure that the web page is secure, the users will check the URL as well as the presence of “https://” as well as the lock symbol in the address bar, which will allow them to know they are on the intended web page when they log on.
Users are accountable for their devices (mobile phone, personal computer, ...) used to access the Abilis platform via trust ID.
If the user’s mobile phone is not correctly configured, the level of security of the service may be altered. Ofac cannot be held accountable for the configuration of the user's personal devices.
Users will also pay attention to all applications installed on their mobile phone.
Users will install and regularly update antivirus software and a firewall in order to prevent infection of devices by computer viruses and prevent malicious connections.
Ofac will under no circumstances be held accountable in the event access to the Abilis platform becomes impossible. Generally speaking, Ofac will only be accountable in cases of fraud or gross misconduct.
2.6. Common sense
Users will use common sense and critical thinking in order to detect any attempts of fraud or piracy:
They will be mindful of anything unusual:
They we be wary of emails from unknown senders. Email is often used by malicious people to infect computers. They will not click on links contained in or open files attached to these emails;
The will not reply to spam (unsolicited electronic mail advertising): a reply indicates to the sender that the email exists and will generate more spam;
They will be careful when opening attachments from know senders: their email account may have been pirated;
They will be wary of windfalls online : for example, winning a game without having participated may indicate a fraud attempt;
They will not forgot that private life must remain private: they must not talk about everything and show everything online. As soon as data is online, the users must be aware that they lose control of the data. Once online, data remains accessible in one way or another.
For more information, users may visit the MELANI website (reporting and analysis centre for information assurance https://www.melani.admin.ch).
3. Abilis platform login
Login to the Abilis platform and CR Abilis is only possible if a trustID account has been created beforehand according to the procedure outlined by Ofac and trustID. This step particularly allows for the identity of the user to be verified and guarantees maximum security.
4. Mobile applications via trustID
4.1. General Information
Users will ensure they always download and install mobile applications from official download sites, such as: AppStore, Google Play Store, etc. and ensure that the editors seem legitimate and serious (email address related to the application, coherent answers to questions, comprehensible answers, regular updates...).
Users will perform regular mobile phone updates as well as regular application updates in order to decrease the risk of exploitation of security flaws by malicious people. It should be noted that automatic updates can be activated.
It is important to always lock a mobile phone when not in use.
In case of loss or theft of their mobile phone, users will contact trustID customer support.
Ofac will offer users certified trustID usernames which will allow users strong two-factor authentification to log on to the Abilis platform and CR Abilis.
The mobile trustID application is available for Android and Apple platforms. It can be downloaded via the Google Play Store, Apple Store. Links are available on the www.abilis.ch website
The following access rights are asked by trustID during installation:
- iOS: Camera; Face ID, Notification
- Android: Camera, Flashlight, Internet
4.3. Strong authentication
Secure access to certain sensitive resources requires strong authentication, as well as the user account and password.
This strong authentication combines two types of authentication, for example:
That which you know (password)
That which you possess (smart card, mobile phone)
That which you are (fingerprint)
That which you do (calculation)
Users will log on using two means of authentification, which will allow them secure access to the Abilis platform.
If the users have lost their strong authentication code, the only requirement is to restart the login procedure. A new strong authentication code will be sent to them.
If users have questions, if unusual messages appear or if they encounter problems, they will immediately interrupt the connection and inform customer support.
4.5. Modification/loss of password
If users wish to change their password, change their type of strong authentication or update their mobile phone number, they can access a dedicated self-service Web portal to update these details.
If users have lost their password, the “forgotten password” link on the login page will allow them to proceed with password recovery.