This topic will give you an introduction into what NHS Smart Cards are for, how they are used, why NHS Smart Cards are a vital feature for NHSbuntu, and at a high level, how Smart Cards work. For more detailed technical information, see this other topic: ‘How NHS Smart Cards Work - a Technical Guide’ (coming soon)
NHS Smart Card Basics
NHS Smart Cards form a major part of the access control to many NHS systems. They are similar to Chip and PIN bank cards.
They are required for clinicians and support staff to access NHS National Services (also known as NHS ‘Spine’ services) - such as the Summary Care Record, Personal Demographics Service, Electronic Prescriptions Service and e-Referral Service, and others. They can also be used for local access control to IT systems, for example, for the initial act of logging on to a Windows PC in a hospital.
Smart Cards are usually issued by the employing trust for the individual member of staff, following identity verification of the user to this standard. The intention is that they should only be used by that member of staff. (In the real world of the NHS, we are aware of some instances in which this is not quite true - for example, some trusts have a ‘pool’ of Locum cards, issued on a temporary basis to locum doctors or bank nurses, or sometimes a user leaves their card in a computer)
Users need to insert their card and then ‘unlock’ it using a PIN which can be a mixture of numbers and letters, and is commonly 4 digits (although it is not limited to 4 digits). Requiring a PIN entry step attempts to ensure that the card can only be used by the user it was issued to, since only they should know the PIN.
Without getting too far into the technical detail, Smart Cards contain a cryptographic ‘key’ which, once unlocked with the PIN, an be used to ‘sign’ data, and create secure cryptographic messages, which allow the user to sign into NHS National Systems.
NHS National Systems are browser-based applications, so in the main there’s no major problem running those on Linux. The Smart Card authentication software (the ‘Identity Agent’) as provided by NHS Digital is, however, a Windows-only system, which means we can’t use it for NHSbuntu, hence we’re working on a cross-platform, open source Identity Agent system.
For a deeper dive into how Smart Cards work, with some technical detail, see this post.
This article was written during the NHS Digital Hack Week 26th - 30th June, which the NHSbuntu team attended in order to support NHS Digital team members who had chosen to work on a Linux version of the Identity Agent during Hack Week. Read our blog post about it here.