NHS Care Identity Service 2 - Standards based Authentication

ID

RM127

Version

2.0.1

Type

Roadmap Item

Frameworks

Title

NHS Care Identity Service 2 - Standards based Authentication

Description

Move User Authentication to the new Care Identity Service (CIS) to allow the planned deprecation of CIS Authentication Service. 

Date Added

Nov 5, 2021 

Standards and Capabilities

Information Governance, Interoperability Standard, Authentication and Access

Change Route

Managed Capacity – Other

Change Type

New

Status

Closed

Publication Date

Dec 2, 2021 

Effective Date

Mar 31, 2023 

Incentives / Funding

No

Incentive / Funding Dates

N/A

Background

NHS Systems providers who access national systems or who have a requirement for strong authentication (Access Assurance Level 3) use the existing Care Identity Service (CIS) which utilises a bespoke SAML authentication interface first envisaged in the early part of the national programme for IT 15+years ago. There has been a drive for a number of years to move all commonly used interfaces across the NHS to be standards based. Authentication is a key area where a move to standards can have significant benefits to all stakeholders involved. The vast majority of large-scale platforms (Google, Facebook, Twitter etc) support open authentication standards that allow simpler integrations that are well understood by provider and integrator.

CIS2 as a platform was envisaged and introduced into live service in 2019 initially working as an ipad based pilot with London Ambulance Service accessing the Summary Care Record application. The CIS2 authentication service (Care Identity Authentication - CIA) ran a successful pilot over a 15 month period and moved to platinum service level in February 2021 to support adoption at scale across the NHS.

The Care Identity Authentication (CIA) service, which is part of CIS2 service requires each supplier looking to provide strong authentication services to its user base to make changes to their code to support OpenID Connect (OIDC) standards with FIDO2 and WebAuthn providing ‘client’ side authentication. The CIS2 Platform and associated suite of products and services is the national identity verification and authentication service that will ultimately replace the current CIS service. The service currently supports a range of authenticators in addition to the smartcard. To ask suppliers to plan in work to integrate with CIS2 and move user authentication to the new service to allow the planned deprecation of the CIS Authentication Service.

NHS CIS2 has a number of main aims:

  1. Allow the use of new authentication methods to support user’s workstyles.

  2. Simplify the effort needed to integrate an application with the authentication service.

  3. Remove the need for outdated technology like IE11 or Java applets.

  4. Allow the use of the latest operating systems and browsers.

To enable these aims, the CIS2 authentication service (CIA) is providing an OpenID Connect (OIDC) solution. OIDC is an Internet Engineering Task Force (IETF) standard that defines a protocol for applications to request a user authentication from an Identity Provider (IdP) such as NHS CIS2.

NHS CIS2 provides benefits in the following areas:

Multifactor authentication

Using a device that is associated with the user allows them to authenticate with biometrics (fingerprint and facial recognition) and smartcards. In the future, there will be additional ways to be able to prove identity, using the latest secure technologies.

Supports modern health and care

Users can securely access clinical information at the point of need using a range of devices, for example tablets and laptops. This supports modern and mobile ways of working within health and care.

Easy integration

Uses OpenID Connect, the leading standard for single sign-on and identification on the internet.

Secure

NHS CIS2 uses the OpenID Connect protocol. It works with modern browser technology, making systems more secure and less vulnerable to malware and other malicious attacks.

Outline Plan

NHS Digital published the standards that all suppliers across the NHS need to adhere to in 2020 with minor revisions to support feedback following successful implementations from a number of internal and external teams. We have set a strong date of September 2023 by which we will switch off all authentication via the existing CIS authentication mechanisms. This means that all system suppliers must have evidenced that they are meeting the standards and moved all their users to the new service by the end of September 2023.
All suppliers can start the CIS2 onboarding journey immediately. The IAM Platform team have a team who can support the initial onboarding dialogue and ensure that suppliers are clear about the process and how to get started.

Summary of Change

NHS Digital have prepared an integration toolkit that provides guidance on how to get approval for the products or services to use CIS2. The toolkit breaks down into 4 high-level stages

  • Apply for NHS CIS2 - via a service assessment questionnaire

  • Prepare and Plan - understand the next level of detail required to integrate

  • Test and Integrate – we use a risk based approach to testing and integration, there are some technical conformance tests to demonstrate adherence to the required standards

  • Go live – go live approval steps

The toolkit is available here:

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit

Full Specification

The Full specification is provided online. The specification has not changed for a number of months and there are no plans to materially change the specification therefore organisations should always refer out to the published versions of the specifications.

The root of the site is here:

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2

Guidance for Developers is outlined here:

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/guidance-for-developers

with detailed guidance contained here

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/guidance-for-developers/detailed-guidance

The integration toolkit provides guidance on all the required documentation to move between path to live environments and the evidence required at any gates to ensure a successfully assured and approved implementation

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit

Assurance Approach

Overview:

CIS2 makes use of the Supplier Conformance Assessment List (SCAL) assurance method.

Plan

To prepare for the development and assurance approach the developing organisation should

  • Gain access to the development environment

  • Review the Supplier Conformance Assessment List (SCAL)

  • Complete the Data Security and Protection Toolkit (DSPT)

  • Check the clinical risk management process

  • Check the medical device status

  • Download the Go Live Checklist

 The detail of the above is contained here

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit/prepare-and-plan

Test and Integrate

When the team are ready to come into the formal Assurance process then they should 

  • Complete and submit the Integration Request Form (aka development environment request form)

  • Test in the integration environment and get your report

  • Complete and submit the service Discovery Form (external clients only)

  • Complete and submit your roll out plan

  • Complete and submit the Supplier Conformance Assessment List (SCAL)

  • Complete and submit the relevant agreements

  • Complete and submit the Go Live Checklist

The detail of the assurance process is contained here

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit/test-and-integrate

Go Live and Support

When assurance has been completed then we need to seek approval for your product or service to go live to ensure that service are aware the solution is transitioning live and for you to understand the support available post live.

The detail of this final stage is included below

https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit/go-live-and-support