Why passwords are no longer enough, why 2FA is becoming mandatory, and how care institutions can make the transition without a major IT project.

Most care institutions in Switzerland have modernized their IT in recent years. Individual user accounts with updated software are now standard. But is that enough?

Since September 1, 2023, the new Swiss Data Protection Act (nDSG) has been in force. It significantly tightens requirements for protecting health data. And it introduces something that surprises many executive teams: personal liability for intentional violations, with fines of up to CHF 250,000.

In this article, you will learn:

1. What the nDSG specifically means for care institutions

2. Why conventional 2FA often fails in care settings

3. Which hidden costs are incurred

4. What a practical solution looks like

What has changed

The nDSG (Art. 8) requires "appropriate technical and organizational measures" to protect personal data. What is considered "appropriate" depends on risk. And this is where it becomes especially relevant for care institutions:

Health data is "particularly sensitive personal data" (Art. 5 lit. c nDSG). Patient records, care documentation, medication plans. All of this is subject to the highest protection level. Accordingly, the requirements for your security measures are stricter than in other industries.

In the event of an intentional breach of these obligations, a fine of up to CHF 250,000 may be imposed on the responsible natural person (Art. 61 nDSG). This could be the facility director, the IT manager, or a member of executive management.

Passwords are no longer enough: the new standard

The central question is: Does your current authentication meet the "state of the art"?

The Data Protection Ordinance (DSV) states in Art. 3: "Technical and organizational measures must, in particular, be appropriate to the state of the art [...]." Access to personal data must be individually traceable. Individual passwords with trained staff generally meet this requirement. But the state of the art has evolved:

• The EPDG (Federal Act on the Electronic Patient Record) already requires two-factor authentication for access to patient records. If the national standard for patient data mandates 2FA, it becomes increasingly difficult to argue that password-only is sufficient for other systems containing the same data.

• ISO 27001:2022 (A.8.5) requires "secure authentication" based on a risk assessment. For health data, this means multi-factor authentication.

• ISO 27799, the healthcare-specific standard, requires strong authentication for all users accessing health information.

• The BSI (German Federal Office for Information Security) explicitly recommends multi-factor authentication for handling sensitive data in its IT Baseline Protection Compendium (ORP.4).

The direction is clear: Two-factor authentication is becoming the standard in healthcare. Many care institutions are aware of this, but struggle with implementation.

Important to know: Two-factor authentication does not necessarily mean a smartphone app like Microsoft Authenticator. There are solutions specifically designed for day-to-day care operations that work without personal devices. More on this below.

The hidden costs no one calculates

Beyond compliance, there is a second problem that is often overlooked: the operational cost of current access management.

In Switzerland, around 1,565 care institutions operate more than 100,000 beds, in addition to over 1,500 Spitex organizations (FSO/SOMED 2022, FSO Spitex Statistics 2022). More than 155,000 people work in long-term care. In most of these organizations, door access, PC login, and time tracking are three separate systems.

Each with its own administration, its own processes, and its own costs. In most of them, reality on care wards is the same:

Staff turnover: the invisible time drain

What happens when a new employee starts?

• Order and issue keys or badge

• Set up IT account, assign password

• Set permissions across different systems

• Create account for time tracking

• Training on the different systems

This takes time. Depending on the number of systems and the level of automation, setting up all access rights can take 60–90 minutes or more. Per person.

And not just for IT: new employees also spend onboarding time on system access instead of patient care.

The same happens in reverse when someone leaves. Collect keys and badges (are all returned?), lock accounts, revoke permissions, deactivate badge. This often does not happen immediately—sometimes it is forgotten, sometimes delayed for weeks.

Turnover as a cost multiplier

These costs would be manageable if employees stayed for years. In reality, annual turnover in Swiss long-term care is around 15 to 25 percent according to industry surveys, and significantly higher in some institutions (OBSAN, ARTISET). In an institution with 100 employees, that means 15 to 25 complete onboarding and offboarding cycles per year.

In addition, there is a growing share of temporary staff who also need keys, logins, and access rights. Often under time pressure, often set up incompletely.

Guest access and external service providers

Doctors, therapists, Spitex staff, cleaning personnel, technical service providers: they all need temporary access. Every single one creates administrative effort. In most institutions, there is no standardized process for this. The result: improvised workarounds, shared access credentials, and open security gaps.

"That is how we have always done it" is a statement heard in many institutions. But since September 2023, that is no longer an argument.

Why introducing 2FA is so difficult

The problem is well known. The solution seems obvious: introduce two-factor authentication. But this is exactly where many care institutions fail.

Conventional 2FA was designed for office workplaces. SMS codes, authenticator apps, push notifications. All these methods assume employees have a smartphone at hand and work at the same desk. In care institutions, this does not work.

Personal smartphones at work. Many institutions prohibit personal mobile phones during working hours. For good reasons: hygiene, distraction, professionalism. And even where allowed: employees may refuse or struggle to set up and adequately secure the added complexity of two-factor authentication.

Shift changes under time pressure. During shift handovers, many employees log in to ward computers within a short period. In a typical care institution with 80 to 100 beds, between 10 and 25 people work simultaneously depending on the shift (FSO/SOMED). Every additional second per login adds up. In care operations, every minute counts.

High turnover. Install an app, set up an account, provide training for every new person? That is not manageable for an IT department often staffed with only 0.5 to 1 full-time equivalent.

User-friendliness. Nursing professionals are experts in care, not IT. Authenticator apps, backup codes, and token registrations create uncertainty and helpdesk calls.

The irony: A poorly chosen 2FA solution can make the situation worse if employees resort to workarounds out of frustration or the IT department becomes overloaded.

One card for everything: 2FA without friction

There is an approach that meets the 2FA requirement while simplifying day-to-day operations: the physical employee card.

The principle: each employee receives a personal NFC card. This single card replaces separate passwords, keys, and badges in one medium.

How it works:

• Door access: Hold the card to the reader, door opens. No more keys.

• PC login: Hold the card to the reader at the computer, session starts. In a few seconds instead of typing a password.

• Time tracking: Register card when entering and leaving the institution. Automatically.

• Shift handover: The new person presents their card, the previous session is automatically locked. Seamless.

Why this is 2FA-compliant: The card fulfills the "possession" factor (something you have). In combination with the system (something it knows about you, e.g., PIN code or device binding with SMS code if needed), this creates multi-factor authentication that aligns with the state of the art.

The major advantages:

Onboarding and offboarding. New employee? Activate card. Door access, PC login, and time tracking are all set up at once. Employee leaving? Block card. Everything is deactivated at once. Instead of one hour of administrative effort: configured in just a few clicks, directly tailored to the employee and their access rights.

Everyone understands a card, and it is immediately usable. For PC login, a reader can be purchased for just a few dozen francs. Most tablets and smartphones already have an integrated NFC reader.

Temporary staff and guests. Issue a temporary card with defined permissions and a validity period. Automatically deactivated after expiry.

Why this works for care

• No smartphone required

• No app, no code, no training

• Contactless and hygienic (works with gloves)

• Integrated into existing infrastructure

• Complete audit trail: who opened which door when, who used which computer

Summary

1. The nDSG tightens requirements. Health data is subject to the highest protection level. Responsible persons are personally liable for intentional violations, with fines of up to CHF 250,000.

2. Password-only is no longer considered sufficient. The state of the art is clearly moving toward two-factor authentication. The EPDG, ISO 27001, and ISO 27799 define the benchmark.

3. The hidden costs of access management are significant. Separate systems for door access, login, and time tracking create IT overhead that multiplies as turnover rises.

4. Practical solutions exist. A physical employee card combines security, compliance, and efficiency. Without smartphones, without complex IT projects, without lengthy implementation effort.

Contact us

Let’s talk. Contact us and we will be happy to help.