Strengthening Digital Trust with Identity and Access Management in COMFORTage

A digital shield (a classic symbol of cybersecurity) projected onto a health environment, such as an elderly person using a mobile phone

As digital ecosystems grow in scale and complexity, ensuring strong security measures becomes increasingly important. Within the COMFORTage project, an EU-funded initiative designed to support active and healthy ageing through digital innovation, we are placing a strategic emphasis on Identity and Access Management (IAM) as a critical component of our security architecture. IAM is not just a technical necessity; it’s fundamental for building trust, meeting governance requirements, and ensuring compliance, especially within distributed and cross-border eHealth platforms.

COMFORTage involves multiple stakeholders, including user groups, healthcare providers, elderly users, and different organizations, data flows – including sensitive medical and behavioral information. Like any advanced digital platform, COMFORTage faces common IAM challenges, such as managing user identities across multiple apps, enforcing specific role-based access, and enabling secure, scalable authentication. Our IAM strategy directly addresses these challenges with a multi-tiered, policy-driven approach built on best practices, standard protocols, and continuous improvement.

IAM as a Security Pillar

In COMFORTage , we treat identity management as the central security layer. Every user, device, and service interacting with the platform must first verify their identity and be appropriately authorized. IAM acts as both a security gatekeeper and a governance framework, ensuring that only the right users have access to the right resources under the right conditions.

IAM as a Security Pillar
Figură 1 IAM

Our IAM approach is guided by four core principles:

  1. Centralized Identity Governance: All user and service identities are managed centrally to enforce uniform policies and improve auditing.
  2. Role- and Attribute-Based Access Control: Access isn’t arbitrary but strictly based on defined roles and specific contexts.
  3. Federated Identity Support: Given the multi-country, multi-organization nature of COMFORTage, our IAM supports federated login via standards like SAML 2.0 and OpenID Connect.
  4. Least Privilege and Segregation of Duties: Users receive only the access necessary to perform their tasks, with administrative privileges clearly separated.

Architecture and Technology Stack

The core IAM services in COMFORTage are powered by Keycloak, an open-source identity and access management solution that supports enterprise-level requirements. This centralized IAM service supports all applications, from mobile health apps for elderly users to web dashboards accessed by healthcare providers.

In addition to the centralized instance, local Keycloak nodes are deployed in edge environments (e.g., local healthcare centers or regional data hubs) to ensure authentication continues even in the case of intermittent connectivity. These edge nodes are synchronized securely with the main system, ensuring reliable access even if temporarily offline.

We distinguish multiple domains within our security architecture:

  • Core IAM Domain: Manages identities, roles, and policies.
  • Application Domains: Each digital service (e.g., nutrition planner, exercise tracker) is assigned an application domain with specific role mappings and access rights.
  • Edge Domains: Deployed by partners in different regions, these comply with core IAM policies but operate independently in case of disconnection.

Policy-Driven Identity Governance

Identity lifecycle management is governed by clearly defined procedures:

  • Provisioning: All accounts – user, service, or privileged – are created based on formal requests, validated by domain administrators.
  • Deprovisioning: Accounts inactive beyond a set period are automatically flagged and disabled.
  • Just-In-Time Access: Temporary elevated access (e.g., for system maintenance or incident response) is allowed only through time-limited roles.

No local accounts are permitted within individual applications for user-facing roles; all authentication flows are routed through the central IAM service. Shared accounts are strongly discouraged and closely monitored.

Policy-Driven Identity Governance
Figură 2 Mapping

Multi-Factor Authentication and Auditability

COMFORTage enforces multi-factor authentication (MFA) for all privileged accounts and recommends it to end-users, especially healthcare professionals. Supported methods include time-based one-time passwords (TOTP) and X.509 certificates issued by COMFORTageā€™s internal PKI infrastructure.

Audit logging is an essential aspect of our IAM framework. We log key events, including:

  • Login attempts (successful/failed)
  • Role changes and privilege escalations
  • Creation and deactivation of accounts
  • MFA issues and resets

Currently, these logs are periodically reviewed, but we’re introducing automation tools for quicker detection of anomalies and immediate alerting. Future developments will incorporate full SIEM/SOAR capabilities to provide real-time incident response and advanced analytics.

Continuous Maturity and Roadmap

We recognize that IAM implementation is not a one-time effort. It evolves. For this reason, we define maturity levels in three stages:

  1. Level 1 ā€“ Basic Governance: Policies are defined; processes are partially manual.
  2. Level 2 ā€“ Policy Enforcement: Policies are implemented; processes are documented and repeatable.
  3. Level 3 ā€“ Full Automation: IAM is integrated with CI/CD pipelines; all identity and access processes are automated and monitored in real-time.

Currently, most COMFORTage primarily operates at Level 2, with automation gradually being introduced across user onboarding, role management, and log monitoring.

Safeguarding the Future of Digital Health

COMFORTage is more than just a digital solution designed to support older adults stay healthy and connected. Itā€™s a model for what secure, reliable, and user-friendly digital healthcare ecosystems should look like. Identity and Access Management (IAM) isn’t just a technical detail we added at the end – itā€™s a core part of our platform, providing the essential trust, ease-of-use, and strength needed in today’s digital healthcare.

By making strong identity and access management practices central to COMFORTage , we protect personal information, empower healthcare providers to focus confidently on their roles, and ensure every user feels safe interacting within our digital environment.

**Article written by Ciprian Candea and Gabriela Candea, from Ropardo SRL,Ā a key partner inĀ theĀ COMFORTage project.

Digital Trust Elderly care Governance in eHealth Healthcare Data Protection IAM in Healthcare

Sections

Info

Newsletter











funded by European Union
Innovate UK

Funded by the European Union (Grant NĀŗ 101137301) and supported by Innovative UK (Grant NĀŗ 10103541) . Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Health and Digital Executive Agency (HADEA). Neither the European Union nor the granting authority can be held responsible for them.

Web design / Grupo Antena

Skip to content
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.