Norway’s national health network adopts banking-grade security standard OpenID FAPI 2.0

The Norwegian Health Network (NHN) has become the first national healthcare system to deploy the OpenID Foundation’s FAPI 2.0 security standard.

Through its new HelseID identity and access management platform, NHN now requires every hospital, clinic, pharmacy and municipal health service to adopt OpenID’s security standard. The OpenID Foundation’s FAPI 2 security standard underpins many of the world’s digital banking platforms.

“FAPI 2 has already delivered tangible security gains,” said Ragnhild Varmedal, CTO for HelseID. “Automated tests and a shared standard mean our vendors spend less time decoding proprietary specs and more time shipping secure, interoperable services to frontline clinicians.”

The shift replaces a patchwork of custom security solutions with a unified, open standard. Until recently, e-health projects in Norway relied on bespoke OAuth and OpenID Connect extensions, leading to vendors having to juggle incompatible requirements.

NHN has replaced the patchwork with a mandatory FAPI 2 baseline, requiring all new APIs to comply immediately while existing services migrate according to a deprecation schedule. In addition, by aligning with FAPI 2.0, implementers can tap into a mature ecosystem of open source code providers.

Gail Hodges, Executive Director of the OpenID Foundation, said the move “underscores the profile’s maturity, scalability and real-world security value.” She added that NHN’s leadership shows that FAPI 2 can deliver tangible benefits well beyond open banking, finance and insurance, where it is already widely deployed.

The benefits include automated testing tools that enable NHN to assess 100 APIs and 1,800 client applications without increasing headcount. In parallel risk assessments, NHN recorded major reductions in both the likelihood and impact of token theft once cryptographic protections like Demonstration of Proof of Possession (DPoP) and other FAPI 2 measures were enabled.

In practical terms, a stolen token is now cryptographically useless, closing an attack path that once jeopardized patient confidentiality.

NHN collaborates with international partners, including the Brazilian banking sector and public sector agencies, to share best practices. A late-2024 incident response exercise, triggered by a theoretical DPoP vulnerability discovered by OpenID Foundation researchers, helped show NHN’s ability to coordinate rapid, ecosystem-wide fixes and underlines the value of an agile, unified community in protecting sensitive data.

NHN – a state-owned service provider under Norway’s Ministry of Health and Care Services – has become the OpenID Foundation’s newest member. Its experience suggests a four-step blueprint for other industries: adopt a robust, open standard for the security profile; mandate a phased but uncompromising rollout; automate conformance from day one and maintain real-time testing; and measure security outcomes to maintain executive support.

“The future of safe, seamless exchange of digital health data depends on interoperable, open standards,” Gail said. “We stand ready to help regulators, vendors and public bodies worldwide to learn from and follow Norway’s example.”

Article Topics

cybersecurity  |  digital identity  |  FAPI 2.0  |  healthcare  |  HelseID  |  identity access management (IAM)  |  Norway  |  open standards  |  OpenID Foundation