Skip to main content

NHS smartcards for developers

Find out about NHS smartcards, how they work, and how to request and use them for testing in our path to live (PTL) testing environments.

Overview

This page explains what NHS smartcards are, how they work, the end user’s smartcard journey and testing with smartcards in our path to live (PTL) environments.


What is an NHS smartcard?

An NHS smartcard is a plastic card containing an electronic chip and is used along with a PIN. It looks like a ‘chip and PIN’ bank card.

NHS Smartcard

A smartcard is personalised by printing the end user's name, photograph and unique user identification number on it. The end users are typically the healthcare workers working for NHS England.

Smartcards were introduced in 2004 and are one of the ways for healthcare workers to strongly authenticate themselves. Once authenticated they can access the clinical and personal information of a patient via our national services such as PDS and EPS.


What are smartcards used for?

The primary purpose of smartcards is to strongly authenticate healthcare workers before they can access patient information. 

They can also be used to:

  • sign in to a Windows desktop, for example at an NHS trust

  • identify themselves as NHS staff, for example at a pharmacy

A smartcard combined with a PIN helps to protect a patient’s clinical and personal information securely. Smartcards are the most widely used means of access control for patient information.


Healthcare worker’s smartcard journey

The suppliers of the healthcare application or an IT support function within an NHS organisation are likely to be responsible for setting up the healthcare worker’s computer. They download the NHS Digital Identity Agent (IA) and the NHS Credential Management Software (CMS) from NHS Digital downloads (only available over HSCN connection). These software components are responsible for initiating the healthcare workers authentication process and interactions with the server-side components.

Once the computer is set up there are 4 stages in a healthcare worker’s smartcard journey.

Applying for a smartcard

Once a healthcare worker is employed by an NHS organisation, they need to provide their proof of identity to get a smartcard. Each NHS organisation has a person who is responsible for handling this, and they are known as the Registration Authority (RA) for that organisation. The RA carries out the identity checks of smartcard users and assigns an appropriate access profile to the healthcare worker.

For further details on the RA function, see Registration Authorities Operations and Process Guidance.

  1. The healthcare worker provides their details to the RA.

  2. The RA creates the healthcare worker’s profile in the Care Identity Service (CIS) application.

  3. The RA assigns the Roles (‘R’) and Business (‘B’) codes to the healthcare worker’s profile.

  4. The RA prints and sends the smartcard to the healthcare worker.

  5. The healthcare worker calls the RA to confirm the receipt of the smartcard.

  6. The RA texts the 6-digit unlock code to the healthcare worker.

When face-to-face registration meetings and the use of identity checkers are not possible during the Coronavirus (COVID-19) pandemic, see Remote smartcard registration.

Applying for a card reader

The RA completes the form to order a smartcard reader on behalf of the healthcare worker. A typical card reader looks like:

Smartcard reader. Image © 2021 HID Global

Using a smartcard

 

  1. The healthcare worker signs in to a point-of-care application.

  2. The point-of-care application prompts the healthcare worker to authenticate by inserting the smartcard in the reader or a keyboard that supports smartcard authentication and enter their 6-digit PIN.

3. The smartcard reader uses IA and CMS on the healthcare worker’s computer to validate the card and the PIN.

4. After successful authentication, if the healthcare worker has more than one role, the CMS software pops up a window presenting the roles assigned for them to choose from.

If the healthcare worker has only one role this window does not pop up as the CMS software automatically chooses the available role for the healthcare worker.

5. The healthcare worker is now authenticated.

Unlocking a smartcard

NHS CIS provides a self service smartcard unlock option in case if the healthcare worker locks it by entering an incorrect PIN. It enables them to unlock their smartcard without having to contact their RA to do this for them. For further details see, CIS self-service Smartcard unlock.


Types of smartcards and modern alternatives

There are different types of smartcards and modern alternatives:

  • physical smartcard

  • virtual smartcard

  • modern alternatives

Physical smartcard

A physical smartcard is similar to a ‘chip and PIN’ bank card and is read by a smartcard reader. There are contact and contactless smartcard readers.

Virtual smartcard

A virtual smartcard has a similar function to a physical smartcard. It enables secure authentication using an app on a healthcare worker’s mobile device, to gain access to patient information. It works with the:

For further details, see Entrust virtual smartcard.

Modern alternatives

To support modern and mobile ways of working within the NHS, we recently introduced NHS Care Identity Service 2 (NHS CIS2), a new and secure authentication service for healthcare workers. It provides a single integration process for modern alternative authentication mechanisms, including:

  • iPad authentication

  • Windows 10 tablet authentication

  • security key authentication

For further details, see Ways to authenticate using NHS Care Identity Service 2.


Applying for a smartcard to use in testing

As a software developer, you need a smartcard so that you can authenticate yourself to access the test data for testing your application. To get a smartcard, make a smartcard request for a path to live environment.

You can:

  • create new users (up to 4 per form)

  • amend an existing user

  • reissue a smartcard

  • use one smartcard per environment

Enter the following information in your form.

Section 1: Your details.

Section 2: Confirm if you want to:

  • create a new user

  • amend an existing user

  • copy an existing smartcard roles

  • reissue an expired smartcard.

Section 3: Complete this section only if you wish to copy an existing smartcard or reissue an expired smartcard.

Section 4: Complete this section if you are a new user or need to amend details on your card. 

  • You must provide Organisation Data Service (ODS) codes, which are issued by ODS. ODS codes are unique identification codes for organisations that interact with the NHS. If you need to create your own ODS code send an email to the ITOC Support Desk. For further details, see the Organisation Data Service.

Section 5: Provide your address for smartcard delivery


The ITOC support desk issues up to 4 smartcards per application form. If you need more than this, email the ITOC Support Desk.


Using smartcards in our path to live (PTL) testing environments

Our PTL environments are for early software development testing and then for formal integration testing. 

For software development testing, use NHS Digital downloads (only available over Health and Social Care Network (HSCN) connection) to:

  • download NHS Digital Identity Agent (IA) and select NHS test environment certificates during the installation
  • download and install NHS Credential Management Software (CMS)
  • download and install the correct drivers for the smartcard reader that you have
  • choose the correct Root CA and Sub CA for Integration depending on the environment requested on the smartcard

The diagram below provides an overview of our PTL environments and their integration with NHS CIS2 and Spine environments.

Sandbox testing

Our sandbox environment is open access, so authentication is not required.

For further details, see sandbox testing.

Integration testing

Our integration environment is paired with the NHS CIS2 integration environment, so you can use smartcards for authentication.

For further details, see integration testing with our RESTful APIs.

Go live by integrating with NHS CIS2

The NHS CIS2 integration toolkit explains how to get approval for your product and go live, see NHS Care Identity Service 2 integration toolkit.

Last edited: 20 December 2021 11:57 am