Press "Enter" to skip to content

How the NHS is Planning to Provide its Patients with Secure, Scalable Access to Medical Records

In order to provide a patient with secure access to their medical records, it’s important to establish who they are (their identity) and what they are allowed to have access to. In technical terms, establishing identity is referred to as authentication and establishing what they are allowed to do is referred to as authorization.

When I log in to my online banking account, I have to input a username, password and a code from a reader (by inputting my debit card and entering my pin code). These are several authentication steps – technically known as two-factor authentication (2FA). As the combination of factors of authentication that I must provider include things that I know (password and pin) and also things that I have (debit card), this is a specialised type of 2FA called multi-factor authentication (MFA), which is more secure. Once my identity has been established, some part of the bank’s system figures out what I’m allowed to do. In my case, I’m authorised to have full access to a few accounts (current, savings and ISA’s) and also restricted access to a corporate account (which allows me to view transaction history only – i.e. I am not allowed to transfer, deposit money or request a change of the credit limit on this account). These rules are known as authorization.

When designing computer systems, it’s desirable to separate concerns. This is done by building modular systems, with each module being optimised to address a given concern (see SoC separation of concerns). In an identity context, there are several common concerns – authentication, authorization, storage of protected resources (e.g. stores of personal data) and also client applications which a person may wish to use to access their protected resources (e.g. a mobile banking app).

Separating identity concerns in this way allows for a single sign-on (SSO) scenario, in which a person is able to access many different protected resource with a single set of credentials. This is common with social identities for example, where you register for a new service or app and are offered the option to register with your Google or Facebook accounts. Obviously, single sign-on reduces the burden on the user’s having to remember many different sets of credentials. Typically with single sign-on, your identity provider (e.g. Google or Facebook) will ask for your consent, prior to allowing a client application to obtain access to your identity.

An example of an app (“Bike to Work Day”) requesting consent to use Matt’s Facebook Account, as a means of identity authentication.

In the identity world, a number of common standards exist which define protocols for separating these concerns. The most popular, modern and widely used are OAuth 2.0. for authorization and Open ID Connect for authentication. These two standards work together hand-in-hand. These standards have led to the emergence of open source libraries, which greatly increase the speed to development (implementation), whilst simultaneously reducing the risk of implementation errors, introduced by developers who are not familiar with the standards.

NHS Digital (the UK’s national information and technology partner to the health and care system) has been working on a national, citizen identity system for several years. The system is called NHS Login (previously known as Citizen ID). It’s first tangible use-case is the NHS App (a national app which is being rolled out to patients early this year (2019). NHS Login will be available to use in other services later in the year (allowing SSO). NHS Login will allow patients to register for their “NHS Account” by following a number of identity verification steps. These steps will include showing some identity documents to your phone or computer’s camera (e.g. a passport or drivers licence) as well as a short video recording of yourself reading off some text from the screen. These two pieces can be combined together to prove that the person applying for the account is alive (i.e. not someone holding up a photo of someone else) and matches the person in the identity document. The identity document, in turn, can be used to match against your existing NHS identity (i.e. your NHS Number). This automated process is a great advantage over the previous identity vouching mechanism, which relied (and burdened) health professionals with identity document checking. The new system will enable a high level of assurance (LOA) of a patient’s identity, a concept that is described in more detail in the (UK) Government Good Practice Guide (GPG) 45 – Identity Proofing and Verification of an Individual.

Your NHS Account will be able to be used in the future, as a means to gain authorization to access national services. One such service is the National Events Management System (NEMS), which is currently under development by NHS Digital. This system offers the potential of access to your medical records, which will flow nationally between acute, primary, community and other types of services. Your NHS Account will also be used to allow you to gain authorization to your medical records that are held on a regional basis – this will likely be done by exchanging your nationally issued NHS Login id(entity) token with a regionally issued access token. This regional separation of authentication and authorization is necessary because, while it is possible to authenticate a patient on a national basis, authorization rules and obligations lie with data controllers regionally (hence the need to step authorization down to a regional level). This will be possible by means of a trust framework policy, covering national and regional services. For more information on developments in regional digital infrastructure, see local health and care records (LHCR).

The NHS Login service will support OAuth 2.0. and Open ID Connect, which is a welcome move. Underneath these protocols are a number of alternative grant flows. It will be important for clients to have access to and to select the right grant flows. This will depend on factors such as the client type (e.g. whether the client is public or private).

The NHS Login service will be one of the first national services to provide secure but public access over the Internet. Again, this is a welcome move, as it greatly reduces the burden and downstream cost on integrating parties, and ultimately, to system commissioners (as opposed to the old and expensive private wide area network infrastructure – N3 / HSCN). This is also in line with the UK Government’s (public) cloud first policy.

Initially, NHS Login will not allow a patient to delegate access (for example, an elderly mother with early onset of dementia, delegating access to her daughter, in order to help manage her care). Neither will it allow proxy access (for example where a parent may be given access to their child’s medical records). However, these are two concepts which NHS Digital are considering for future releases.

Be First to Comment

Leave a Reply

Your email address will not be published.