Skip to main content

Entrust virtual smartcard

A new virtual smartcard product that enables users to authenticate securely using an app on their mobile device, to gain access to health and care systems and services.

The product works with the NHS Digital Identity Agent (IA) client, Care Identity Service (CIS) and Card Management Service (CMS) infrastructure, and is supported by NHS Digital.

It is a new option for authentication to Spine systems, provided in addition to existing CIS physical smartcards. It works through an Entrust application that can be downloaded and installed on a user’s mobile device. It can be issued and managed using largely the same processes as a physical card.

This virtual smartcard solution has been built by NHS Digital in partnership with Entrust and has undergone stringent product assurance along with reviews by NHS Digital's Cyber Security and Information Governance functions.

The Entrust virtual smartcard works by using the following process:

  1. The user verifies their identity using current registration authority (RA) policy, if they have not already done this.
  2. The RA registers them for a virtual smartcard and sends an email to their email address (which must be NHSmail or another approved domain).
  3. The user downloads the Entrust app onto their mobile device and completes the activation of their virtual smartcard.
  4. The user can then pair their mobile device with a computer that has the Entrust virtual smartcard reader installed, and use the virtual smartcard to gain secure access to health and care systems which they would usually need a physical smartcard to access.

A new feature to register and de-register an Entrust virtual smartcard has been added to the RA user interface, the User Registration Service (URS) part of the Care Identity Service (CIS). This feature will only be made available to RAs providing a service to organisations that are approved for the Entrust virtual smartcard solution. All relevant transactions regarding virtual smartcards will be logged and audited within the existing CIS service.

Onboarding guides

Benefits include:

  • security - the virtual smartcard is stored on a user's mobile device, making it less likely to be shared
  • it uses the same Public Key Infrastructure (PKI) and certificate authority infrastructure, and works with the same NHS Identity Agent, used for physical smartcards, so little new technology is required
  • infection control - the Bluetooth auto-connect feature allows authentication without the user having to touch their mobile device

There are some technical requirements that must be met to use Entrust virtual smartcards.

View Entrust virtual smartcard organisation and technical requirements.

NHS Digital has procured a limited number of licenses to remove local burden.

During the controlled roll-out phase, licenses will only be granted to help the coronavirus (COVID-19) response.

By applying, you undertake that you will use the services only for lawful purposes and in accordance with our terms and conditions.

We will review all applications with the primary focus on support for the coronavirus response. Initially this product is launched on a limited roll-out basis to ensure that any challenges associated with the new launch can be managed in a controlled manner. We will limit all approvals to a maximum of 300 licenses per organisation. We expect this number to be revised in the coming weeks, and it will be monitored and reviewed regularly.

This product has a hands-free, auto-connect feature to support authentication. If you are considering using this in high dependency, critical care or tightly infection-controlled zones then you must complete a full clinical risk assessment before applying for licenses. This auto connect feature can be extremely helpful but we would advise you to consider clinical safety risks when using it in high tempo, fast user switching scenarios.

Those signing a prescription need to be able to demonstrate that they were in sole control of the signing capability at the point of signing. This makes it challenging to develop a solution that meets the requirements of an advanced electronic signature. We have been working with Entrust for a number of months to prove this is technically possible and we are now moving rapidly into proving this capability with a number of suppliers. We expect to be able to announce further progress in the coming weeks. Until we have announced the solution has been assured and is available from those suppliers who provide an advanced electronic signing capability to support Electronic Prescription Service (EPS) we will not approve any applications for use with EPS.

We are working with EMIS and One Advance to prove the Entrust solution works with these systems.

If you have questions or need help with your application, email accesslogistics.hub@nhs.net.

Get guidance for technical support and ICT, registration authorities and users of Entrust virtual smartcards, to help you set up and start using Entrust virtual smartcards.

Last edited: 11 November 2020 10:46 am