NHS smart card devices enable secure access to health care apps

Thanks to the NHS smart card programme and some creative middleware, four health trusts in North London have found an inexpensive way to offer secure access to health care applications.

Four health trusts in North London have found an inexpensive way to give their nurses and doctors remote access to their main applications.

By making use of NHS smart cards -- the chip-and-PIN devices that have been distributed to NHS employees under the Connecting for Health (CfH) digital health care programme to allow them to access patient records -- the trusts have discovered a ready-made platform to provide secure two-factor authentication to their office applications from any remote location.

The project has been developed by the Barnet, Enfield and Haringey Health Informatics Service (BEHHIS), which coordinates IT across Primary Care Trusts (PCTs) in the three London boroughs as well as the Barnet, Enfield and Haringey Mental Health Trust.

The remote access system combines two existing pieces of technology in the NHS: the NHS smart card, and the Microsoft Forefront United Access Gateway (UAG), which had been acquired separately; these technologies were not originally designed to work together.

By commissioning some middleware to create a link between the two, BEHHIS has avoided the expense and effort of a new public key infrastructure programme and new security tokens to provide the necessary levels of security, and has allowed hundreds of employees to gain remote access to their applications.

Perry Meyer, a project manager with the Enfield PCT, explains the background: "We have a substantial estate of doctors, clinicians and nurses who had to work from paper notes, and then transpose their information when they got back to their base. We wanted to enable them to work more flexibly, and bring the medical practice closer to the customer."

Meyer said the PCTs looked at implementing PKI to enable users to get secure remote access to systems, but said that would have been too expensive and complex to administer. They then looked at the possibility of exploiting the smart cards provided by the NHS, which has already issued more than 750,000 smart cards. The smart cards are designed specifically to work with some core health applications, such as a central database of patient information, but most PCTs also have their own local IT infrastructures that may be based on a variety of technologies.

The NHS had also bought a group-wide licence from Microsoft for its Forefront UAG product, which provides SSL VPN connectivity for remote users. Since the software was bought and paid for, every PCT was entitled to draw down as many user licences as it needed for the UAG without cost, but it would not work natively with the NHS smart card.

The middleware to make the two elements work together was provided by Bracknell-based Microsoft specialist Winfrasoft Ltd. Phillip Nicklos, technical director with Winfrasoft, said: "Some NHS applications have been written for the smart card, but the majority of local trusts have their own legacy applications. Some trusts still run Novell eDirectory, while most run Active Directory."

The middleware, now called Health Access System (HAS), manages the authentication of users when they log on remotely. The first time a user logs on with a smart card, he or she is asked for a local Active Directory username and password, and the HAS then stores the smart card credentials in the user's Active Directory record.

Subsequently, when users log on remotely, they insert their smart card, key in a PIN, and are then presented with a Web portal that shows all the applications to which they have access, both locally and nationally. It means, for instance, that doctors can easily get access to CfH applications, such as the national patient database, from wherever they happen to be, as well as accessing their own PCT systems.

If users forget their smart card or misplace their card reader, provided they have already registered to the system, they can have a one-time passcode sent to their mobile phone, enabling them to carry on with their work.

BEHHIS programme manager Perry Meyer said that by using technologies that the NHS already owned, the PCT involved in BEHHIS has saved a lot of money. "Implementing such comprehensive and strong two-factor authentication from scratch, using PKI or token-based access, would simply not be feasible for our PCTs," Meyer said. "The overall project cost was about £250,000. A PKI project would have cost double that amount."

Read more on Identity and access management products