Securing NHS Care Records

The new NHS Care Records Service (NHS CRS) will provide an electronic NHS Care Record for all England’s 50 million plus patients, revolutionising the way health and care information is stored and handled.  It will ensure that wherever and whenever a patient seeks NHS care, the right information is available to the right people at the right time.

However, ensuring that only the right people can access patient information requires the ability to effectively authenticate users of NHS CRS. As part of the development process for the NHS Care Records Service, the National Programme for IT undertook an extensive evaluation of the different means of authenticating users.

Authentication usually relates to something you have, something you know or something you are. Traditional methodologies require a username and password – two instances of something you know.   While this single factor authentication is better than no challenge at all, it provides only relatively weak security.  A person would, for example, not expect to be able to get money out of the bank using this information alone.

Single factor authentication is open to identity theft via keystroke monitoring, social engineering ("what’s your password?"), shoulder surfing, man in the middle, network monitoring, password cracking, the Post-It attack (stick the password on one) and support staff abuse (see detailed list at the end of the article). 

Two-factor authentication, such as a smart card in conjunction with a PIN, greatly reduces the risk of identity theft.  For this reason, two-factor authentication is the standard mandated by government and supported by industry, to be used when authenticating identity for access to systems which may impact on the care of patients. 

In two-factor authentications, the password may still be used, as it provides the ‘something you know’ part of the authentication.  However, either the ‘something you have’ or ‘something you are’ must be provided, too, giving a second factor.  The most common form of ‘something you have’ is a physical token – usually an electronic card. ‘Something you are’ could be a fingerprint or retina scan.

This second factor overcomes all the risks of single factor authentication. Obtaining the password by itself is useless, as the physical token is not present and this is required as a second factor. This mitigates against techniques such as keystroke monitoring, password cracking or simple social engineering, shoulder surfing, password cracking, Post It attack or support staff abuse.

By using the password to unlock information held on the physical token, and providing this in a secured manner to a central authentication service, the integrity of the credentials can be maintained.  This mitigates against ‘man in the middle’ – and network monitoring – provided a trusted session is implemented between the user’s machine and the authentication service. 

Although the cost of implementing a two-factor authentication system is marginally higher than that of a single-factor system, the benefits in terms of integrity, flexibility and security are manifold. 

There is no need to hold a centralised username and password store, and the number and complexity of authentication interactions is reduced.  The risk of an individual’s identity being compromised in a large distributed system is also greatly reduced, as the emphasis for authentication security lies with the user and not the system.                             

Several different approaches to two factor authentication were considered by the National Programme. Biometrics was dismissed because, although fingerprint identification would have been a relatively low-cost option, fingerprints are impossible to obtain from users wearing surgical gloves.

USB Tokens were dismissed as being easy to damage and impossible to visually tie to a user’s identity.  The cost of ‘Secure ID Number Tokens’ is prohibitive on the scale required, so they too were dismissed.

Smart cards holding electronic credentials have a number of advantages which make them the preferred option. They are relatively easy to deploy in large numbers and can be used with standard PCs. Another benefit of cards is that they can be readily personalised to provide a visual tie in to identity.  And, once issued through a registration authority, smart cards can also be used with door access systems, car parking systems, as a canteen payment card, occupational health information card or ID card.

Smart cards are also a proven technology that has already been successfully used in both the public and private sectors. Many financial institutions across the world favour ‘chip and pin’ to enable customers to access cash or make payments. And in the US, the Department of Defense has deployed a system similar to that proposed for the NHS in England and with many more users.

All these factors have led the National Programme to choose two-factor authentication, using ‘NHS Smartcards’ and PIN numbers. The system relies upon the assured registration of an individual’s identity, and registration authorities located in each local NHS trust will be responsible for issuing the Smartcards to staff.

The NHS Smartcard has been designed so that it can be integrated with other card schemes (for example, occupational health, staff ID cards). The card can also be produced with a magnetic strip on the reverse, allowing its use with existing swipe systems. 

To use the new Smartcards, systems will require a card reader.  These come in a variety of types and designs and are compatible with a wide variety of devices.  The readers being deployed by the National Programme are compatible with both USB and RS232 interfaces, and are supplied with an interchangeable cable that connects to both USB and RS232.  Card readers are also readily available for devices such as PDAs and tablet PCs.

The architecture adopted by the National Programme leaves the door open for other authentication mechanisms to be used in the future, such as facial recognition technologies, and these may be used to replace the PIN in situations where systems are capable of using such technologies. 

An individual’s level of access to patient information held on National Programme systems will be determined by their role, their legitimate professional relationship with the patient and the patient’s use of an electronic ‘sealed envelope’, in which sensitive information can be placed.

Healthcare professionals will be able to access the systems they need to, regardless of where they are within the NHS. For example, GP locums attending a practice for the first time will have their role profile altered by an authorised user within the practice to give them ‘membership’ of the practice. This is a simple and straightforward process which will take less than a minute to perform. The membership will expire automatically after a set time.

By levelling a common registration and authentication process across all care professionals, the NHS can rely upon the identities, credentials, and assured qualifications of the individual for both access to care records and also the audit of such accesses.

The NHS Care Records Service will provide much more protection and control for patients than they currently have. Every person who accesses a patient’s record will leave an audit trail – who they are, what they did and when.  Anyone trying to see a patient’s record against access rights will trigger an alarm to a privacy officer who will follow it up. Authentication mechanisms will be closely scrutinised to ensure that patient care is not adversely affected by the introduction of these new technologies.

In the future, the NHS Smartcard plus PIN authentication process could allow NHS-registered users to be recognised by other organisations they need to work with within central and local government and further afield.  In addition, the infrastructure deployed by the National Programme could support a patient card with patient interfaces deployed in the same manner as bank ATMs, offering patients access to HealthSpace and other services.