How secure are physical smartcards?
Smartcards work through having a separate security processor with its own dedicated memory (which together form a secure enclave). The digital signing and authentication processes rely on this secure enclave being unalterable and physically hardened, this is usually certified through FIPS 140 compliance.
All access requests, successful or otherwise are logged so that security audits can determine what a user was accessing and when.
What level of authentication is required for systems that are connected to Spine and other national services?
We mandate compliance with NIST 800-63B (often referred to as Authenticator Assurance Level 3 or AAL3) in order to satisfy the evidential requirements associated with the NHS Care Record Guarantee(1) and the legislation associated with electronic prescribing. This authentication requirement also builds on level three assurance requirements for identity proofing and issuance of the credential to the user, based on NIST 800-63A (often referred to as Identity Assurance Level 3 or IAL3).
(1) The Care Record Guarantee was first referenced in the explanatory notes of the Health and Social Care Act 2008 (see paragraph 83), and first published in 2011 by the National Information Governance Board, whose functions have since transferred to pursuant to s280 of the Health and Social Care Act 2012 to NHS England, and the Care Quality Commission, and the Secretary of State. The Social Care Record Guarantee (the guarantee for social care records in England) was first published 01 October 2009.
Last edited: 30 April 2020 2:56 pm