| Page Properties | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
|
| Page Properties | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
|
...
NHS Systems providers who access national systems or who have a requirement for strong authentication (Access Assurance Level 3) use the existing Care Identity Service (CIS) which utilises a bespoke SAML authentication interface first envisaged in the early part of the national programme for IT 15+years ago. There has been a drive for a number of years to move all commonly used interfaces across the NHS to be standards based. Authentication is a key area where a move to standards can have significant benefits to all stakeholders involved. The vast majority of large-scale platforms (Google, Facebook, Twitter etc) support open authentication standards that allow simpler integrations that are well understood by provider and integrator.
CIS2 as a platform was envisaged and introduced into live service in 2019 initially working as an ipad based pilot with London Ambulance Service accessing the Summary Care Record application. The CIS2 authentication service (Care Identity Authentication - CIA) ran a successful pilot over a 15 month period and moved to platinum service level in February 2021 to support adoption at scale across the NHS.
The Care Identity Authentication (CIA) service, which is part of CIS2 service requires each supplier looking to provide strong authentication services to its user base to make changes to their code to support OpenID Connect (OIDC) standards with FIDO2 and WebAuthn providing ‘client’ side authentication. The CIS2 Platform and associated suite of products and services is the national identity verification and authentication service that will ultimately replace the current CIS service. The service currently supports a range of authenticators in addition to the smartcard. To ask suppliers to plan in work to integrate with CIS2 and move user authentication to the new service to allow the planned deprecation of the CIS Authentication Service.
...
To enable these aims, the CIS2 authentication service (CIA) is providing an OpenID an OpenID Connect (OIDC) solution. OIDC is an Internet Engineering Task Force (IETF) standard that defines a protocol for applications to request a user authentication from an Identity Provider (IdP) such as NHS CIS2.
...
Using a device that is associated with the user allows them to authenticate with biometrics (fingerprint and facial recognition) and smartcardsand smartcards. In the future, there will be additional ways to be able to prove identity, using the latest secure technologies.
...
Users can securely access clinical information at the point of need using a range of devices, for example tablets and laptops. This supports modern and mobile ways of working within health and care.
Easy integration
Uses OpenID Connect, the leading standard for single sign-on and identification on the internet.
Secure
NHS CIS2 uses the OpenID Connect protocolthe OpenID Connect protocol. It works with modern browser technology, making systems more secure and less vulnerable to malware and other malicious attacks.
...
The toolkit is available here:
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit
Full Specification
The Full specification is provided online. The specification has not changed for a number of months and there are no plans to materially change the specification therefore organisations should always refer out to the published versions of the specifications.
The root of the site is here:
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2
Guidance for Developers is outlined here:
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/guidance-for-developers
with detailed guidance contained here
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/guidance-for-developers/detailed-guidance
The integration toolkit provides guidance on all the required documentation to move between path to live environments and the evidence required at any gates to ensure a successfully assured and approved implementation
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit
Assurance Approach
Overview:
...
The detail of the above is contained here
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit/prepare-and-plan
Test and Integrate
When the team are ready to come into the formal Assurance process then they should
Complete and submit the Integration Request Form (aka development environment request form)
Test in the integration environment and get your report
Complete and submit the service Discovery Form (external clients only)
Complete and submit your roll out plan
Complete and submit the Supplier Conformance Assessment List (SCAL)
Complete and submit the relevant agreements
Complete and submit the Go Live Checklist
The detail of the assurance process is contained here
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit/test-and-integrate
Go Live and Support
When assurance has been completed then we need to seek approval for your product or service to go live to ensure that service are aware the solution is transitioning live and for you to understand the support available post live.
The detail of this final stage is included below
https://digital.nhs.uk/services/identity-and-access-management/nhs-care-identity-service-2/care-identity-authentication/integration-toolkit/go-live-and-support