Skip to main content
What's happening in Identity and Access Management

There’s a lot going on across the Identity and Access Management teams in NHS Digital. Find out about our products and services, and how to get involved with pilot programmes and share your feedback.

Care Identity Management

Replacing the Care Identity Service (CIS) interface to fit with modern standards, so our systems can work seamlessly across the NHS using APIs.

Overview

We're replacing the part of the CIS which allows Registration Authorities (RAs) to search or create user profiles, assign specific access rights, and generate reports.

We’re building the new system bit-by-bit starting with 'Create User', then adding on new functions which will be used by our pilot tester RAs, and the data will link back to CIS. Eventually CIS will be closed down, and everyone will be moved over to the Care Identity Management system.

The current system

While it is not causing us acute pain at the moment, the system we have is hard to update, and cannot adapt to new circumstances easily. We’ve made a strategic decision to replace it, by expanding our ForgeRock back-end system which provides the modern standards we need, and for which we already have a license.

Benefits of change

The long term benefits will be better security, more sophisticated sharing of data with systems like the Electronic Staff Record (ESR), and easy adaptability to new requirements.

You’ll see changes to the look and feel of the service pages as it’s brought into line with the NHS design system. The researchers and designers on our team are also working with users to make sure that the service is easy to use, and identify any existing issues or irritants that we find.

Roadmap

Delivered

  • discovery phase - asking and answering the question: ‘Should we do this project?’
  • alpha phase - asking and answering the question: ‘How will we do this project?’
  • research and design for 'Create User'
  • connecting the new and old systems together, so users can be created in Care Identity Management and fed back into CIS

Up next

  • private beta phase - recruiting a small number of RAs to create users in the new system, and switch back to CIS for all other actions  
  • user research and design for  'User Management'

Exploring

  • research and design for replacing:
  • bind and issue authenticators
  • assign access controls
  • request lists review
  • reporting review
  • training and learning for the new system
  • public beta phase - moving all users over from CIS, and gathering feedback to improve

How to get involved

Email: IAMPlatforms@nhs.net to:

  • send feedback about any part of our service - whether it’s a problem with the existing system, or a suggestion
  • ask to be contacted by our researchers, to book an hour’s usability testing session
  • ask to be added to the list of private beta testers, to be early adopters of our new system and be part of the design team

We’ll be running roadshows more often, so keep an eye out for announcements, or check on the digital.nhs news page.


Care Identity Service 2 (CIS2) Authentication Service

Users should be able to use a choice of authentication token to suit their environment and task at hand.

Overview

Formerly named NHS Identity, this is a new, secure authentication service used by health and care professionals in England to access national clinical information systems. 

Roadmap

Delivered

  • adopt open standards for authentication
  • use TouchID on an iPad to authenticate to national applications
  • use Windows Hello for Business to authenticate to national applications
  • enable users created in CIS to authenticate with CIS2

Up next

  • use Cross Platform security keys to authenticate to national applications
  • upgrade underlying authentication platform to latest vendor release
  • authenticate with a smartcard over the internet via an Internet Identity Agent

Exploring

  • use Android devices as an authenticator to access national systems
  • use an Out of Band device to authenticate to national systems

Find out more

You can find more detailed information on our NHS Care Identity Service 2 pages.


NHS CIS2 support for smartcard users

Existing smartcard users should be able to access applications that use CIS2 for authentication.

Roadmap

Delivered

  • enable OpenID Connect (OIDC) authentication for Smartcards via NHS CIS2 Hub software
  • onboarding journey for clinical system vendors
  • smartcard users can access genomics and cervical screening applications through CIS2
  • notify CIS2 applications of smartcard removal (tactical)

Up next

  • notify CIS2 applications of smartcard removal (strategic)
  • smartcard authentication over the Internet (Internet Identity Agent)
  • adoption of NHS Credential Management to replace NHS CIS2 Hub

Exploring

  • next series of smartcards

Self Service Registration

NHS workers and other professionals should be able to register for a Care Identity in a self-driven way.

Overview

NHS Digital are creating a new Self Service Registration service, which allows Employers to invite Employees to provide identity documentation through a Self Service service for verification.

The current system

The current verification process requires face to face interviews with Registration Authorities (RAs) in order to be verified for access to NHS data. This current process requires users to travel to specific locations and consumes RA's time and requires the organisation to have access to an RA service.

Benefits of change

The new service will allow NHS workers to upload relevant identity and proof of address documentation remotely and securely without having to attend face to face appointments.

This new service will reduce travel needs of employees and support RAs to obtain relevant and accurate information about the employee being registered, thereby streamlining the registration and verification processes.

Roadmap

Delivered

  • self-service registration of a staff digital identity 'Get a Care Identity' discovery
  • 'invite someone to get a Care Identity' prototypes
  • 'prove your identity prototypes

Up next

  • private beta for 'invite someone to get a Care Identity'
  • private beta for 'Get a Care Identity'

Exploring

  • integration with existing Care Identity Service to allow RAs to fully manage self-created Care Identities
  • duplicate checking with self-created Care Identities

Get involved

Email: IAMPlatforms@nhs.net to:

  • send feedback about any part of our service - whether it’s a problem with the existing system, or a suggestion
  • ask to be contacted by our researchers to book an hour’s usability testing session

Remote Signing Service

An API-based service for suppliers to enable electronic signatures on a wide range of applications and devices.

Overview

As healthcare systems have moved from paper to digital, there is still a need to sign documents. NHS Digital have developed an API-based service that can be used by software suppliers to enable electronic signatures across the NHS on a wide range of applications and devices. 

It will initially be launched for use in prescription signing and dispensing but is intended to be available for use on a wider range of documents. 

The current system

There is strong demand to use mobile devices for prescription signing. This is very difficult to achieve with the current combination of NHS Digital and 3rd party solutions which require the use of smartcards and locally installed hardware.  

Current solutions are also tightly coupled to prescription signing, and cannot be easily adapted to allow other forms of document signing which might be needed.

Benefits of change

  • enabling the use of mobile devices for prescribing by removing the dependency on smartcards
  • providing a single solution that works for both smartcard and non-smartcard based prescribing
  • providing 3rd Party system suppliers with the option to remove ongoing development complexity by switching to a simple API call
  • opportunity for more generic document signing
  • simplifying and speeding up the process of making changes to the signing process

Roadmap

Delivered

  • use cases definition
  • architectural design approved
  • API specification approved

Up next

  • private beta in secondary care setting with Electronic Prescription Service (EPS) use case and iPad as an authenticator
  • automating creation and management of signing certificates
  • signature verification for dispensers

Exploring

  • platform review for economic scalability
  • scaling private beta (prescriptions)
  • smartcard user compatibility
  • public beta (prescriptions)

Find out more

Email: IAMPlatforms@nhs.net to:

  • ask questions about the Remote Signing Service
  • get more information about the wider Electronic Prescription Service (EPS)

System supplier onboarding to CIS2

System suppliers should be able to integrate with NHS Digital’s authentication service easily.

Roadmap

Delivered

  • development and Integration Environments
  • onboarding pack
  • supplier Conformance Assurance List
  • applications onboarded: Summary Care Record, National Genomics Informatics systems, cervical and breast screening applications

Up next

  • streamlined onboarding process
  • in dialogue with 28 internal products and 36 external services for OpenID Connect (OIDC) adoption and migration from Care Identity Service (CIS) to CIS2
  • onboarding at least 2 GPIT Futures new market entrants

Exploring

  • opportunities for self-service onboarding

Java deprecation and Credential Management

Allows healthcare workers to use a range of modern browsers to do their jobs, by removing our reliance on Java.

Overview

Healthcare workers should be able to use a range of modern browsers to do their jobs. As many of our products and services are reliant on Java, staff have been restricted to using Internet Explorer. 

Credential Management

Credential Management enables the very first steps towards Java deprecation. It's a standalone desktop installation that works in the background on the user system between Identity Agent and the internet browser. As more suppliers start using Credential Management, more applications will support authentication on modern browsers.

Benefits of Credential Management

Using Credential Management provides the following benefits:

  • removes the requirement for non-supported Java Applets and Internet Explorer (IE) 11 browser from Care Identity Service (CIS) operations - when installed, a Registration Authority will be able to perform RA operations in modern browsers such as Chrome and Edge
  • improves operation speed, performance and stability in performing RA functions
  • simple desktop installation
  • supports self renew, pin change and self unlock in modern browsers

Roadmap

Delivered

  • moved operations performed by Java applets into credential management
  • port redirection to use Credential Management on a VDI session
  • Care Identity Service 2 (CIS2) authentication integration

Up next

  • Credential Management adoption by NHS Digital applications
  • engagement with system suppliers to plan the adoption of Credential Management
  • roll out of Credential Management to cervical screening users

Exploring

  • roll out Credential Management to all smartcard users
  • support for Firefox

How to get involved

Following the successful pilot phase, Credential Management is now available to all RAs and associated roles for immediate download and use from the following link: http://nww.hscic.gov.uk/dir/downloads/index.html#credential_management

The link includes the software for installation and the relevant support documentation.

We’ll be running roadshows more often, so keep an eye out for announcements, or check on the digital.nhs news page.


Legacy deprecation

Managing the retirement of old and unsupported Identity and Access Management (IAM) products and services across the estate.

Overview

There are long standing challenges for the NHS in managing out of date software and hardware. It creates costs, spreads finite resources thinly and increases our risk and security and threat landscape.  

To reduce these risks, NHS Digital have announced dates in which some legacy software and services will no longer be supported.

Roadmap

Delivered

  • deprecation notice published detailing the services to be deprecated and the timeframes for these
  • engagement with over 200 organisations in support of Identity Agent client deprecation
  • 57% of legacy Identity Agent client deployments removed since November 2020

Up next

  • deprecation of legacy smartcards – Gemplus, physical JCOP 41 and JCOP41
  • Identity and Access Management enablement team to contact organisation with high numbers of these cards within organisations
  • breakdown of organisations smartcard types available upon request

Further information

If you need a breakdown of the Series 4 smartcards currently in use in your organisation, email: IAMPlatforms@nhs.net

For more detailed information, and dates of deprecation, visit our Supporting older version smartcards page.


Smartcard procurement

Users should be able to use next-generation smartcards that use modern technologies.

Roadmap

Delivered

  • Entrust Virtual Smartcard pilot
  • agreed type of replacement smartcards (PIV/CIV)
  • request for proposal (RFP) documentation completed

Up next

  • procurement exercise for new smartcards
  • deprecation of series 4 to series 6 cards
  • exploring alternatives for pairing of Entrust virtual smartcards

Role Based Access Controls (RBAC)

A review of the Role Based Access Control model.

Overview

Access to national clinical (Spine) systems is currently controlled by a role-based access control (RBAC) authorisation model, providing access rights based on users’ roles within their organisation.

NHS Digital are undertaking a review of the current RBAC model, as distinct from smartcards or authentication in general, involving an extensive research and consultation exercise with system suppliers and their customers (within primary and secondary care), Registration Authorities (RAs), information governance (IG), national applications and clinical systems administrators.

Roadmap

Delivered

  • research and consultation exercise 
  • over 60 interviews conducted
  • questionnaire sent out and collated

Up next

  • a paper detailing proposals, underpinned by the research, is due to be submitted for internal review by the end of March 2021
  • consultation on proposals continuing into April 2021

Get involved

Email: IAMPlatforms@nhs.net to:

  • send feedback about National RBAC/NRD - whether it’s a problem with the existing system, or a suggestion
  • ask to be contacted by our researchers, to be included in webinars, focus groups and/or interviews

Support for Care Identity Service (CIS) and CIS-to-Cloud

Existing smartcard users should be able to continue to use and rely on the Care Identity Service (CIS) until they can migrate to NHS CIS2.

Roadmap

Delivered

  • software and hardware upgrades
  • improved incident and service request triage process
  • discovery and build phases to move the CIS from physical hardware to  cloud based hosting
  • continual improvement of Identity Agent software
  • decommission date published
  • ability to register other authenticator

Up next

  • implementation of cloud hosting
  • deprecation old versions of Identity Agent
  • planning the decommissioning of the existing CIS

Exploring

  • migration of system vendors and their users to NHS CIS2
  • decommissioning of the existing Care Identity Service

CIS-to-Cloud service downtime

This transition weekend is scheduled to take place between Friday 7 May (BST) 6.30pm and Monday 10 May (BST) 8am. During this time, Authentication and the Directory Service will remain available. From the start of the transition weekend, the Care Identity Service application including any CMS operations on smartcards will be unavailable. 

Find more details on what your IT function needs to do.


Digital Wallets / Staff Passports

NHS and other professionals should be able to own and control their verified digital identity and proactively share this with NHS Organisations to enable streamlined onboarding and access to systems.

Roadmap

Delivered

  • architectural pattern for supporting the on boarding of NHS staff between NHS organisations
  • a demonstrable product using open standards to securely obtain nationally held credentials from Care Identity Management

Up next

  • support NHSX business change
  • build capability to deliver the Digital Wallets product as a pilot
  • integration with CIS2
  • assess the Microsoft suit of services in Azure that support decentralised identity use cases

Exploring

  • integration with a national trust framework, for example revocation
  • develop further architectural patterns, for example Digital Wallets for authentication, physical access, candidate screening
  • support national enablement programmes for roll out

Last edited: 18 August 2021 7:54 am