How NHS Smart Cards Work - a Beginner's Guide


(Marcus Baw) #1

This topic will give you an introduction into what NHS Smart Cards are for, how they are used, why NHS Smart Cards are a vital feature for NHSbuntu, and at a high level, how Smart Cards work. For more detailed technical information, see this other topic: ‘How NHS Smart Cards Work - a Technical Guide’ (coming soon)

NHS Smart Card Basics

  • NHS Smart Cards form a major part of the access control to many NHS systems. They are similar to Chip and PIN bank cards.

  • They are required for clinicians and support staff to access NHS National Services (also known as NHS ‘Spine’ services) - such as the Summary Care Record, Personal Demographics Service, Electronic Prescriptions Service and e-Referral Service, and others. They can also be used for local access control to IT systems, for example, for the initial act of logging on to a Windows PC in a hospital.

  • Smart Cards are usually issued by the employing trust for the individual member of staff, following identity verification of the user to this standard. The intention is that they should only be used by that member of staff. (In the real world of the NHS, we are aware of some instances in which this is not quite true - for example, some trusts have a ‘pool’ of Locum cards, issued on a temporary basis to locum doctors or bank nurses, or sometimes a user leaves their card in a computer)

  • Users need to insert their card and then ‘unlock’ it using a PIN which can be a mixture of numbers and letters, and is commonly 4 digits (although it is not limited to 4 digits). Requiring a PIN entry step attempts to ensure that the card can only be used by the user it was issued to, since only they should know the PIN.

  • Without getting too far into the technical detail, Smart Cards contain a cryptographic ‘key’ which, once unlocked with the PIN, an be used to ‘sign’ data, and create secure cryptographic messages, which allow the user to sign into NHS National Systems.

  • NHS National Systems are browser-based applications, so in the main there’s no major problem running those on Linux. The Smart Card authentication software (the ‘Identity Agent’) as provided by NHS Digital is, however, a Windows-only system, which means we can’t use it for NHSbuntu, hence we’re working on a cross-platform, open source Identity Agent system.

Next:

For a deeper dive into how Smart Cards work, with some technical detail, see this post.


This article was written during the NHS Digital Hack Week 26th - 30th June, which the NHSbuntu team attended in order to support NHS Digital team members who had chosen to work on a Linux version of the Identity Agent during Hack Week. Read our blog post about it here.


How NHS Smart Cards Work - a Slightly More Technical Guide
Testing NHS Smart Card Integration
(Barry Schofield) #2

Well how does that work with NHSbuntu do you have to have a card reader?


(Rob Dyke) #3

Yes. We have packaged up drivers for the omnipresent OmniKey 3121 reader in
our repo here

https://packagecloud.io/nhsbuntu/nhs-smartcards
https://github.com/NHSbuntu


(Paul Williams) #4

Just downloading your build, does this mean you have spine authentication working?


(Rob Dyke) #5

Almost!


(Aaron Donnelly) #6

Just so you are aware, I’m not sure if every trust issues Smart Cards to new members of staff at this point in time… I hear rumours that they are only issued out to Managers where required.

In terms of Workstation Support it is usually a big deal if someone’s Smart Card reader stops working on their Keyboard, which leads me to concur that this is an important attribute to consider.


#7

Hi Aaron,
Within my trust they are issued to anyone who needs to access the NHS spine to update patient demographics (so anyone who is patient facing really)
We also use them to access a number of other non clinical systems. I would guess somewhere between 50% - 75% of staff in my trust would have them.


(Aaron Donnelly) #8

Cool beans. I know they’re important, just don’t have access to my own to help with the testing.

Will have to see if I can locate someone at our trust that has one and is interested in trying the O/S.


#9

Best non clinical groups to speak to are probably HR, Finance/Payroll or Education and Training. They all likely use systems which require smartcard authentication.
I don’t know if there’s a way to private message on this forum (?) but feel free to PM me what trust you work for as I may have some contacts there? happy to help if I can! :slight_smile:


(Paul Williams) #10

Is this of any use:



http://research.nationalhealthexecutive.com/content55930


(Ian Simons) #11

Within our Trust Smartcards are issued to 100% of staff and done so at induction. They are used for our PAS, Spine Portal applications etc for patient facing/admin staff and ESR for HR, Finance and Staff Services. The entire Trust relies upon them for ESR when completing mandatory and optional online training.


(Aaron Donnelly) #12

I’m in the process of requesting a card for testing purposes.

Please can I ask for the best way to test the identity agent once I am issued with one? I’m not sure if our smart card readers are going to work with the software out of the box.


(Rob Dyke) #13

We’ve been working with the Omnipresent OmniCard readers.

The meta-package we’ve published will install Omnikey HID, Gemalto
middleware and openssl v0.9.something.

Rob


(Adrian Wilkins) #14

openssl v0.9.something

Isn’t the 0.9 series out of support? Is there some kind of compatibility problem that prevents use of >= 1.0.2 ?

https://www.openssl.org/source/


(Aaron Donnelly) #15

Hi Adrian,

I can’t answer your question, hopefully someone else will.

I’ll be working with HP USB Smartcard CCID keyboard’s. I’ve just installed the “libccid” and “pcscd” packages using apt-get and will hopefully be getting my hands on my own smartcard over the course of next week.


(Rob Dyke) #16

@aarond - here are our packages
https://packagecloud.io/nhsbuntu/nhs-smartcards

@Adrian.wilkins - yes… openssl 0.9.8 required for the Gemalto / pkcs foo