Norway adopts FAPI 2.0 to secure national healthcare data

Norway has mandated the use of the FAPI 2.0 security protocol across its entire national healthcare network.

The Norwegian Health Network (NHN), responsible for digital infrastructure in the country's health and care sector, now requires every hospital, clinic, pharmacy, and municipal health service to adopt FAPI 2.0, a security profile widely implemented by digital banking ecosystems globally. The deployment marks the first time FAPI 2.0 has been adopted at national scale in healthcare, according to the OpenID Foundation.

FAPI 2.0, or Financial-grade API version 2.0, is recognised as a security benchmark in financial services, particularly in banking. Its adoption by NHN is intended to bring the same level of security to patient data that banks use for digital transactions. Risk assessments performed by NHN suggest a significant reduction in the likelihood and impact of data breaches such as authentication token theft.

Gail Hodges, Executive Director of the OpenID Foundation, stated, "When a well-regarded, national healthcare network like NHN selects and deploys a security profile like FAPI 2.0 at national scale, it underscores the profile's maturity, scalability and real-world security value."

Hodges added, "NHN's thought leadership shows their public and private sector peers in the health community that the benefits of FAPI 2.0 can be realized by health ecosystems - not just in Open Banking, Open Finance, and Open Insurance where the FAPI protocols are widely deployed today."

Transition to a unified standard

Previously, Norway's e-health projects each constructed their own security specifications based on OAuth and OpenID Connect, requiring vendors to manage multiple, sometimes incompatible requirements. NHN's shift to a single, open standard through FAPI 2.0 compels all new application programming interfaces (APIs) to comply immediately, with phased migration for existing services.

The platform introduces automated conformance testing, which allows developers to receive immediate pass or fail results. This capability enables NHN to assess up to 100 APIs and 1,800 client applications efficiently, without the need to scale the security team.

By aligning with FAPI 2.0, NHN leverages a global ecosystem of open source code providers, self-certified vendors, and openly available test resources maintained by the OpenID Foundation community. These tools help to ensure consistent application of secure protocols while enabling prompt responses to emerging threats through established disclosure channels.

Measurable security outcomes

Risk assessments conducted by NHN highlight the effectiveness of FAPI 2.0 components, such as Demonstration of Proof of Possession (DPoP). These measures rendered stolen authentication tokens "cryptographically useless," removing a critical risk vector for patient data confidentiality.

"FAPI 2 has already delivered tangible security gains," noted Ragnhild Varmedal, CTO for HelseID. "Automated tests and a shared standard mean our vendors spend less time decoding proprietary specs and more time shipping secure, interoperable services to frontline clinicians."

The NHN's experience indicates a drop in both the frequency and impact of token theft, according to these parallel risk assessments.

Community collaboration

Community building and cross-sector knowledge sharing have formed a significant component of NHN's approach. Engagements with international stakeholders, such as Brazil's banking system, and other public sector entities, are designed to foster best practices and further reinforce security measures across industries.

In 2024, NHN participated in an incident response exercise following the identification of a theoretical DPoP vulnerability by OpenID Foundation researchers. The outcome, according to sources, confirmed the network's ability to coordinate rapid, ecosystem-wide response efforts, strengthening collective readiness for potential security issues.

Formalised partnership

NHN has formalised its long-standing collaboration with the OpenID Foundation by becoming a member of the organisation. The move comes as NHN continues to align public and private sector digital identity systems in Norway with international standards.

Sector-wide implications

The initiative by NHN has brought forward a replicable model for organisations outside of healthcare, according to the OpenID Foundation. It has highlighted four recommended criteria for broader adoption: selecting a robust, open security standard; mandatory phased implementation; automation of compliance testing from the outset; and ongoing measurement of security outcomes to ensure continued executive support.

Hodges explained, "The future of safe, seamless exchange of digital health data depends on interoperable, open standards. We stand ready to help regulators, vendors and public bodies worldwide to learn from and follow Norway's example."