Personalized data in CGM LIFE is associated with users. CGM LIFE supports three different kinds of users (also called participants), which can access medical data in CGM LIFE with different roles:
|Patients||Institutions||Health Care Professionals (HCP)|
Patients are individuals who own medical data that is stored in CGM LIFE. If you develop a consumer app, then you use a participant type “patient” to log in to CGM LIFE.
Institutions are organizational entities that can connect to CGM LIFE in order to communicate with patients and/or exchange data with them. Institutions include for example medical practices, hospitals, and pharmacies.
HCPs are individuals (e.g. a doctor, a pharmacist) who can connect to CGM LIFE in order to personally communicate with patients and or other HCPs and institutions.
Each user who wants to connect to CGM LIFE must first register for an account. During registration, each user is assigned a globally unique user id (the CGM UID) and a set of credentials that can be used to authenticate (log in) to CGM LIFE. The CGM LIFE Client SDK provides methods to integrate CGM LIFE login into your application, while the CGM LIFE Account App provides registration components that you can use to integrate CGM LIFE registration into your application.
Public Key Infrastructure
The security infrastructure of CGM LIFE is based on a public key infrastructure (PKI). During registration, a user obtains a set of credentials.
Credentials are used for the following purposes in CGM LIFE:
- Authenticating the user during login
- Encrypting data for other users (confidentiality)
- Digital signature of data (integrity)
Every user has several Working Credentials (“WC”) and one Root Credential (“RC”):
- The working credentials are used to authenticate the user and to issue digital signatures. This means that a user who loses all of his working credentials cannot log into the system anymore.
- Each working credential gives access to the root credential which is used for all encryption/decryption operations. This is to ensure that a user can decrypt his own data, no matter which working credential he uses during login.
While the root credential is always a high entropy, cryptographic software certificate, the working credentials can be of different type. CGM LIFE currently supports:
- CGM LIFE KEY (Email + Password)
- CGM LIFE SuperPIN (similar to the PUK on your mobile phone, in case you forgot the PIN)
- One-time access tokens (TAN)
- Software Certificates