Enhancing Health Data Security and Access Management: A Guide to Integrating DHIS2 with Keycloak

This abstract has been accepted at the 2024 DHIS2 Annual Conference

Enhancing Health Data Security and Access Management: A Guide to Integrating DHIS2 with Keycloak

Over the last few years the nature of the data collected in DHIS2 has become more sensitive. Increasingly a DHIS2 database will contain a significant amount of personal identifiable information (PII) or personal data. At the same time, many DHIS2 implementations around the world deploy several DHIS2 instances for different purposes (eg. aggregated and tracked instances, or a separate instance to store very sensitive data, like HIV status). In this context, the use of identity and access management (IAM) systems can play an important role in the implementations… IAM systems provide robust security features, including multi-factor authentication, secure password policies, and encryption. On the other hand, DHIS2 implements OpenID connect on top of the OAuth2 authorization framework, enabling an internet identity ecosystem through easy integration and support. Integrating DHIS2 with an IAM system may enhance overall security, protecting sensitive health data from unauthorised access and ensuring compliance with privacy regulations sometimes requested by several MoH. Some of the potential benefits of this integration are: Single Sign-On and Logout: Allowing users to log in (and logout) once and access multiple DHIS2 instances without the need for repeated authentication. This not only improves user experience but also reduces the risk associated with managing multiple passwords. Centralised user management: It should facilitate centralised user management, streamlining user onboarding, offboarding, and updates. This ensures that access rights and permissions are consistently and accurately assigned. Role Based Access Control (RBAC): Integrating DHIS2 with an IAM system allows organisations to define roles and permissions more effectively, User accountability: Integrating DHIS2 with an IAM system provides a comprehensive view of user activities and changes made to the system. Keycloak is one of the most relevant open source IAM systems using OAuth 2.0 and OpenID Connect, which can be used in on premise deployments. Solidlines gives support and advice to several organisations managing many different DHIS2 instances, and we recommend keycloak specially for contexts where several DHIS2 instances are running. We would like to share our experience with the community, highlighting why using IAM systems is relevant for this context. We plan to present a demo with DHIS2 and keycloak to show the benefits of this integration, presenting at the same time the challenges that we have found and finally some considerations about how DHIS2 and IAM systems could collaborate better.

Primary Author: Daniel Castelao Suárez

Identity and access management (IAM), Security, Single-Sign-On, Authentication, Role Based Access Control (RBAC), Centralised user management