Skip to main content
Coronavirus (COVID-19) Smart cards frequently asked questions

We have provided some frequently asked questions to support smart card users.  

1. How secure are physical smartcards?

Smartcards work through having a separate security processor with its own dedicated memory (which together form a secure enclave). The digital signing and authentication processes rely on this secure enclave being unalterable and physically hardened, this is usually certified through FIPS 140 compliance. 

All access requests, successful or otherwise are logged so that security audits can determine what a user was accessing and when.  


2. What level of authentication is required for systems that are connected to Spine and other national services?

We mandate compliance with NIST 800-63B (often referred to as Authenticator Assurance Level 3 or AAL3) in order to satisfy the evidential requirements associated with the NHS Care Record Guarantee(1) and the legislation associated with electronic prescribing. This authentication requirement also builds on level three assurance requirements for identity proofing and issuance of the credential to the user, based on NIST 800-63A (often referred to as Identity Assurance Level 3 or IAL3).

(1) The Care Record Guarantee was first referenced in the explanatory notes of the Health and Social Care Act 2008 (see paragraph 83), and first published in 2011 by the National Information Governance Board, whose functions have since transferred to pursuant to s280 of the Health and Social Care Act 2012 to NHS England, and the Care Quality Commission, and the Secretary of State. The Social Care Record Guarantee (the guarantee for social care records in England) was first published 01 October 2009.

3. What does this mean practically in terms of how I need to authenticate?

Different smartcard solutions (physical and virtual) present different ways that users can use them. NHS Digital are currently using and investigating the following options: 

  • physical smartcard inserted into a reader, with a pin to activate 
  • physical smartcard in proximity to a reader with a pin to activate 
  • virtual smartcard inserted into a USB port, with a pin to activate 
  • a virtual smartcard on a mobile phone in proximity to a bluetooth linked PC, with a pin on the PC to activate 
  • a virtual smartcard in the cloud with an authenticator app on a phone to activate 
  • a virtual smartcard on an iPad (assigned to an individual) with a biometric (face-recognition or thumbprint) to activate 
  • a virtual smartcard on a Windows tablet (assigned to an individual) with a face-recognition biometric to activate. 

4. Can secure authentication requirements be reduced during COVID-19?

The same duty of care is owed to individuals to protect their health and care data as to the standards established in the care guarantee. It is important that the policies designed to protect the security of critical systems and data are upheld. In exceptional circumstances, and where other additional controls can be applied, simplified access to patient data for direct care may be requested.

If you believe you have a strong specific use case you can contact us by emailing and we will review with our clinical and legal teams.  

Last edited: 30 April 2020 2:56 pm