Spine allows information to be shared securely through national services such as the Electronic Prescription Service, Summary Care Record and the e-Referral Service.
NHS Digital develops and maintains Spine through the Digital Delivery Centre. Recent developments include enabling the sharing of child protection information via the Child Protection Information System, and developing ways to allow easier access to demographic data through the Spine Mini Service.
Third-party suppliers use the Message Implementation Manual (MIM) available on the Technology Reference Data Update Distribution (TRUD). The following MIM references apply:
Demographics (PDS domain)
- 2.3 – P1R1
- 3.1.11 – P1R2, superset of 3.1.10 and 3.1.11
- 4.2.00 – P1R2
- 6.3.01 – P1R2
- 7.2.00 – P1R2
Clinicals (PSIS and GP Summary domains)
- 4.2.00 – PSIS Event (List) Query and GP Summary
- 6.3.01 – PSIS Document query only
Prescriptions (Medication Management domain)
- 3.1.07 – EPS Release 1
- 4.2.00 – EPS Release 2
- 2.3 – Choose and Book (eBooking) Release 1 via intermediary messaging
- 3.1.09 – Choose and Book (eBooking) Release 2 via intermediary messaging
- 4.2.00 – GP2GP v2
Care Identity Service (CIS)
Ensures that services are able to permit or deny individuals’ access to clinical data based on an authentication against a strongly assured identity, and that this access is robustly audited for every access. The service is predominantly used by care professionals.
This is provided via a national network of Registration Authorities who perform face-to-face identity checks and issues unique, personalised smartcards as well as ongoing administration and replacements.
Services use the smartcard to gather identity information on the user, their organisation(s) and their role(s) within the same organisation(s). This is then used by the service to determine whether the user has the required access rights to data and thus whether they will be granted or denied access to it.
The core CIS sub-services to support this, and the connection information for each are:
Spine Security Broker
- ‘2087 External Interface Specification: Part 6 Spine Security Broker’
- ‘2087 External Interface Specification: Part 7 Spine Security Broker APIs’
Spine Directory Service
- ‘2087 External Interface Specification: Part 5 SDS’
NHS Identity currently provides authentication services to allow controlled access to less sensitive clinical data and is being expanded to eventually replace CIS as the authoritative source of identities for use by care professionals within the NHS and into social care.
Ultimately, NHS Identity will support:
- Different levels of identity assurance. This allows the creation of users with lower levels of access than CIS currently provides and hence allows commensurate levels of identity checking – a user not requiring access to sensitive clinical data might be allowed to self-register, whilst users needing clinical data would still require face-to-face checking.
- Use of authentication devices other than smartcards, potentially including specific mobile devices, hardware cryptographic devices and biometrics.
- Access from, and via, the internet, not just the N3/HSCN networks as for CIS
Use of NHS Identity requires the use of the following standard interfaces:
In addition to the above open standards, you can view NHS Identity specific information and more general background.
The following guidelines are used to define the authentication and identity assurance processes used within NHS Identity:
Her Majesty’s Government Good Practice Guide 44 (HMG GPG44)
Her Majesty’s Government Good Practice Guide 45 (HMG GPG45)
US National Institute of Standards and Technology (NIST) Digital Identity Guidelines (NIST 800-63)
Onboarding processes for NHS Login are in the process of being developed and tested.
- An engagement lead is the first point of contact
- An onboarding team are developing an ‘onboarding process’ with the wider Service Management team.
- The first 5 early adopters of NHS Login are testing an onboarding process as part of the overall service development
The NHS Login programme has published the following standards:
Identity verification and authentication standard (Process Standards)
External Interface Specification (Tech Standards)
Health and social care email services must be designed in accordance with the principles of DCB 1596 secure email standard. The secure email standard:
- helps users exchange sensitive/patient data without undue burden at the first attempt without having to understand anything about the receiving email service
- ensures systems are not susceptible to forged email (spoofing) so an email message and the signature of the sender can be accepted/treated in the same way as a signed piece of paper to eliminate the need to use paper-based or facsimile submissions where a signature is required
It is based on the following open email standards:
- Transport Layer Security (TLS) v1.2 or v1.3 is required to encrypt and secure email in transit.
- Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC) and Domain Keys Identified Email (DKIM) are required to prevent email being forged (spoofed).
- ISO/IEC 27001:2013 is required, covering the scope of the email service only, to ensure that the email once received is properly looked after. This reduces burden by not requiring the entire organisation and all of its systems/services to be accredited to ISO/IEC 27001: 2013.
NHSmail is the most commonly used secure email and collaboration service in health and social care with over a million regular users of the service across England and Scotland. The service offers secure email, instant messaging and video conferencing. Other accredited systems that includes Office 365 are published here.
Read more about the Secure Email Standard here.
NHS WiFi is intended to enable people who are receiving care to be better connected by providing free wireless access across the NHS, and progressively supporting health and care professionals to have access to services, tools and technologies to deliver better care.
In order to ensure that a standardised, high quality WiFi service is available across GP Practices and NHS Trusts in England, NHS Digital has published a suite of technical and security policies and guidelines. These have been developed based on industry best practice and in conjunction with local NHS organisations, patients, and suppliers.
These policies and guidelines, which include accessibility, usability, information governance and information security define the minimum standards to be achieved by suppliers in order to provide a uniform and consistent service for NHS WiFi across the primary and secondary care estate.
NHS WiFi Technical and Security Policies and Guidelines.
Read more about NHS WiFi here.
The Health and Social Care Network
It is vitally important that health and care providers have access to highly reliable, best value and appropriately sized data network connectivity, capable of supporting the increasing demand for digital services.
The Health and Social Care Network (HSCN) provides the default standards for highly performant, security enhanced and best value data network connectivity in health and care. The nineteen suppliers who are accredited to HSCN standards all provide:
- the ideal underlying connectivity to support the increased adoption of internet and cloud-based services
- continued access to the critical applications, systems and services that are not yet developed to be accessible over the internet (the Spine for example)
- vendor agnostic connectivity that provides flexibility for innovators to build value add solutions (such voice and video) on top of the network and enable health and care organisations to adopt flexible and remote work patterns
Health and Social Care Network services are designed in accordance with industry wide area networking standards as well as The HSCN Operational Design Overview and the Solution Design.
Read more about HSCN here.
In order to improve interoperability between online health and care systems and support more ubiquitous access to patient records, health data and diagnostic tools, health and care IT systems, services and applications should be made available over the internet.
This means NHS IT system suppliers and health and care providers should ensure:
- all new NHS IT systems, services and applications are fully accessible over the internet from day one
- all existing IT systems, services and applications are developed to be made fully accessible over the internet at the earliest opportunity
The internet first standards are in line with previously published government and health and social care policy.
Standard capabilities for Local Health and Care Record
NHS England has defined the concepts and constructs of a Local Health and Care Record (LHCR) regional organisation to implement longitudinal care record and secondary use services. In partnership with NHS Digital those constructs, and concepts have been elaborated to describe 22 standard capabilities across 5 broad domains which are being used to measure the maturity of a LHCR exemplar implementation against a funding agreement.
Read more about LHCRE here.
The e-RS (e-Referral Service) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online.
The product has been designed and built with extensive user research and feedback, based around GDS design standards, also working to NHS Digital design principles, policies and standards.
Read more about e-RS here.
API specifications can be found here.