In light of the need for Extramural Hospital Information System (HIS) access through mobile devices outside the hospital, this research analyzes situational information security threats, including the circumstances in which a mobile device may get lost and personal data may be stolen. Moreover, the system needs to be implemented in accordance with the regulations. Based on the security threat analysis, it is proposed to use a security control module to provide a security-enabled HIS proxy module, two-way authentication module, and One-Time Password (OTP). The sending module and cryptographic technology computing module with Micro SD encryption card form a set of HIS extension system, which includes the SMS OTP method to simultaneously verify the two-way authentication mechanism of a user and the device that the user owns.
Keywords: SMS OTP; dynamic account; encryption card; m-health; privacy protection; user authentication.