Unlocking the potential of NHS smart cards

The introduction of modern information technology is at the heart of the Government’s Modernisation Plan for the NHS. The new NHS Care Records Service (NHS CRS) has been designed to support patient confidentiality and to restrict access only to those who need to see parts of the records in order to provide the relevant necessary care. However, the viability and usability of the NHS CRS smartcards1 that are used to control access to this new service, have been the cause of much controversy to date.

Concerns raised
Connecting for Health’s policy of requiring doctors to repeatedly login with a smart card every time they use a computer system was described earlier this year as “preposterous” by the chairman of the British Medical Association.  Although this statement seems to be apposed to the standards laid out in the NHS Confidentiality Code of Practice, readers will recognise the conflict between efficient and compliant working practices.   

Further concerns were raised when South Warwickshire General Hospitals NHS Trust confirmed that its board had agreed that clinicians working in part of its A&E Department could share smartcards to access patient records.  The Trust passed the policy after deciding that the lengthy login times, averaging 60-90 seconds, it took staff to log on to the hospital’s new patient administration system (PAS) every time they used it, was not acceptable in a busy A&E environment.   

Long login and logout times, experienced when staff change users on a shared workstation, are a prominent issue across Trusts, with many complaining of the resulting impact on clinical efficiencies. As a result, many staff remain logged in to allow other users to gain quick access to workstations.   

Such practices can have a dramatic impact on the accountability of employees in the event of malpractice. The sharing of smartcards arguably increases with the possibility of innocent employees being punished for the negligence or misconduct of a colleague, because it creates complications in the auditing process.   

“If the smartcards issued can only be used for a limited number of (national) applications, and are found to be problematic because of operational issues, users will perceive their value to be limited. Against this backdrop, NHS Trusts are keen to realise the benefits that smartcards offer. In order to do this, they need to be able to integrate them with all of their existing applications; this is where Single Sign on is key,” explains Mike Nelsey, managing director for Identity and Access Management experts Enline.

Implementing the right solution
Mayday Healthcare NHS Trust, which provides hospital based health services to around 330,000 people in and around Croydon, recently enlisted the help of Enline to implement a strategic Identity and Access Management solution in order to integrate the smartcards with its applications. By implementing Imprivata Inc.’s OneSign Single Sign On solution, Mayday’s 2,000 users can now sign on to all applications using one smartcard and pin number, thus improving clinical efficiency, security and accountability.  

 With the new Single Sign-On (SSO) solution, staff can log on and off, gaining access to all applications, simply by inserting and removing their cards. The changeover period between sessions on designated shared workstations, when one user logs off and another one logs on, has been significantly reduced.   

Tony Kaye, Mayday Healthcare NHS Trust IT services manager explains: “With the Single
Sign-On, our staff can focus on doing their jobs, rather than wasting precious time having to remember streams of passwords to gain access to core applications. The new access management system will enable us to improve clinical efficiencies and the quality and speed of our auditing as well as dramatically reducing password-reset related helpdesk calls, and their associated costs.”   

By implementing an effective strategic Identity and Access Management (IAM) solution, NHS Trusts can unlock the potential of their smartcards by integrating all their applications. In the future staff will be able to gain access to all applications via the swipe of one smartcard and simple input of a pin number. As such, the period of inactivity between logins on shared terminals is significantly reduced.

Benefit when you need it
Issues of audit, accountability and security may only be perceived as secondary to efficiently working until a time when an incident such as a criminal or internal inquiry raises them up the agenda. This is why the effective and efficient use of smartcards with SSO provides the dual benefit of increased efficiency with accountability, security and compliance – for instance with the NHS Confidentiality Code of Practice.

Efficiencies without costs
The increased clinical efficiencies achieved through the effective use of the smartcards also come without cost to the accountability of employees. As smartcards do not need to be shared by staff to maintain these efficiencies, auditors can ascertain the offender of any misconduct without disrupting other members of staff using the terminal.   

The benefits of an effective IAM strategy are immediate and substantial. IT management, support and infrastructure costs can be hugely reduced, freeing up resources to address critical issues, and employees can perform their jobs quicker and more securely because of innovations in working practices and improved end-user efficiencies.   

Single Sign On eliminates the need for employees to memorise numerous passwords. Access to key applications can be gained via one smartcard and pin number, just like a bank card.   

Mike Nelsey continues: “Many Trusts are confused by the smartcards issued to them by the Department of Health, because they do not have the knowledge to realise the potential benefits. By taking into consideration each individual Trust’s needs and issues our solutions add value to the cards and encourage users to adopt them. This also ties in with the  e-Government Unit’s re-use philosophy regarding national projects.”

Integrating multiple identities
NHS Trust employees often have a large number of physical and logical identities: a code to enter the building, an ID badge, and more than likely, several usernames and passwords to gain access to applications or data. When correctly implemented, smartcard technologies can integrate these multiple identities so that organisations can automatically link processes, achieving a faster, more dynamic method of working.   

An effective IAM solution can therefore improve clinical efficiency and increase patient throughput, whilst providing secure and compliant access to patient information.   

The potential for these smartcards is huge. Moving forward, as the technology allows, their application could be extended beyond traditional IT areas to door access, car park entry, or even cashless vending. Security could be increased, by combining physical and logical access using the same smartcards, as an employee may only gain network access or access to special zones if they have signed into the building using their swipe card. Similarly, if an employee has signed into the building it will not be possible for anyone to remotely access the network using their username.

Summary
A well implemented identity and access solution can maximise the potential of the smartcards, and could finally alleviate the NHS’ difficult conflict between security, staff efficiency and best practice. By implementing SSO, NHS Trusts can significantly tighten security, simplify the password process and give users faster access to patient information, delivering substantial clinical and operational efficiency savings.

Notes
1 The NHS CRS and related National Programme for IT (NPfIT) services like Choose and Book and the Electronic Prescription Service use a common approach to protect the security and confidentiality of every patient’s personal and health care details.   

Organisations that need to access patient information within the NHS CRS and other National Programmes are verified by Registration Authority and then issued with an NHS CRS Smartcard. Individuals use their NHS CRS Smartcard and their Smartcard Passcode each time they log on.   

These smartcards grant individual access to patient information based on their work and level of involvement in patient care. This means that a doctor’s receptionist for example, may only see the information needed to process an appointment, not the full clinical record. Each time someone accesses a patient’s record, it will be recorded and patients can formally request to see this information.