Marc Poulaud

About Marc Poulaud

Marc is Co-founder and CTO at Isosec. He passionately believes in solving real world problems simply and efficiently through the use of technology. Marc also loves being part of a great team, keeping fit and spending time with family and friends.

Streamlining Windows and clinical application logon with the NHS Smartcard

As part of our product roadmap, we are about to release our next iO product – iO Logon. I always get a little excited when we release something new and innovative, especially as it’s something I’ve wanted to do for a long time – make the NHS Smartcard able to log on to Windows and the Spine seamlessly.

First some history.

Back in the NPfIT days, we used to joke that Spine SSO (Single Sign On) was the only single sign-on system where a user had to log on twice – once for Windows with username and password (AKA AD Credentials) and then with a smartcard to access Spine clinical applications. This has been the norm for a long time resulting in delays for users wanting to get or update patient information or order tests.

We introduced Spine Session Persistence back in 2012 – the ability to keep clinical applications running even when disconnected from a virtual desktop, saving at least 30 seconds every time a user re-connected back to their virtual desktop. This helped in a big way to improve the experience for clinical users through integrating the technology better.

So, the current user experience goes something like – turn up to work, log in to Windows with username and password. Wait. Virtual desktop appears a few seconds later. Insert smartcard. Enter passcode. Select role. Clinical app starts. Wait. Wait some more. Still waiting. Clinical application now available. After some time using the clinical application, the user disconnects from the virtual desktop to return some time later. Log on to Windows again. Wait. Insert smartcard. Continue using clinical application.

Our vision is about enabling clinicians to do what they do best – treat patients using efficient supporting IT systems. Not the other way round of battling with IT systems to then deliver patient care.

iO Logon delivers just that – a fast and streamlined access to clinical applications.

The new process goes like this:

1. User walks up to a workstation and presents their NHS smartcard – either inserting it or placing it on a contactless reader

cf8g5o1d.

2. User is prompted for their NHS smartcard passcode – not their Windows username and password!

2w5vmw78

You’ll notice that there is a remember passcode tickbox meaning that user doesn’t need to enter it again until some policy defined period or event – simply presenting the card next time will allow them straight in.

And that’s it – the user is signed in to Windows and their Spine applications launch. Then, simply remove the smartcard and the user is returned to Step 1. Removing the smartcard disconnects them. Re-presenting the smartcard then simply gets them back to their applications where they left of – a matter of approximately 1 second.

From an administration point of view we’ve designed this to be as simple as possible. Registration for the iO Logon service is done by the user by simply enrolling their card when they present it for the first time:

7t7yootc

Obviously, there is still a management interface for setting up the various policies and de-registering cards, but that’s it.

One of the really great aspects of this new iO Logon product is around the analytics. As Edward Demming famously observed, “without data, you’re just somebody else with an opinion”. Which in the case of user log on time is very true. Just how long does it take to log on and get access to a clinical application? Isosec has his its own cloud based analytics platform that collects this information to give an unequivocal view. This view breaks down in detail to the individual aspects of the authentication process and how long it takes before the clinical app is ready. It also can show a macro view of all authentications for a particular user as well as across groups of users. This then allows bottlenecks to be identified and improvements made. I’ll discuss more about the analytics another time as we release more of our analytics roadmap functionality.

On a final note, iO Logon is part of an exciting and ambitious roadmap for iO. We are busy working through R&D for our next iO solution aimed at agency staff. More on that soon.

New Pilot Analytics Service Announced

We are preparing the next set of Isosec products as part of our Isosec Roadmap and would like to announce a pilot Analytics service. This first instalment will enable trusts to access all their user authentication records for all Isosec products.

Initially the analytics service information available is limited to:

    Authentication Timestamp, Isosec Product, Isosec Product Version, Device Id, User Certificate Id, Platform Operating System

This applies to our MIA platform and MIA applications such as MIA Maternity as well as iO and iO Local which is embedded as part of RiO Store and Forward and Open RiO.

As part of the roadmap, we’ll then look to add a rich set of additional information, including user information, GPS location information, clinical application information and detailed device information.

This will culminate with an analytics dashboard providing key business insights and governance information on the usage of clinical applications by users on desktop, virtual or mobile devices.

What can Analytics do?

Analytics provides a complete and detailed view of how users access which applications from which device and where. This can be done directly through inspecting a specific user, device or application or even location. It can also be done indirectly by identifying patterns in this information.

This can enable:

  • Uncovering of Information Governance issues directly or indirectly through unusual behaviour such as the sharing of smartcard credentials
  • Identifying where applications are or not being used by certain users

A glimpse of things to come:

Isosec Analytics Dashboard Screen

If you would be interested in being part of a pilot for the analytics service email support@isosec.co.uk to register your interest.

Lack of cyber security for NHS mobile apps

Ok, SC Magazine (for IT Security Professionals) is maybe not everybody’s favourite bed-time reading, but one of their recent articles highlights a particular issue with the scramble to mobilise NHS apps on tablet devices (see the link here) oft heralded as the saviour for the NHS through efficiency.

The article contends that patient information is more valuable than financial data sold on the black market. If you consider that a mobile device has potentially 100s or 1000s of patient records stored on it or is connected to your clinical backend systems where there are potentially tens of thousands of patient records then it is beyond doubt that it is only a matter of time before cyber crims get their acts together.

I don’t want to discuss the obvious business case and benefits of transforming and mobilising healthcare – it could save billions. But at what cost if you don’t get the security right?

However, I do take exception to SC’s article on cyber-security training for users as being the answer. It’s a false sense of security. Sure, it makes sense to do this but pitted against a smart hacker they wouldn’t stand a chance. As an ex karate-ka, I’ve seen it many times and know people given some self-defence training think they can defend themselves (imagine the Lion in the Wizard of Oz – put ’em up).

I don’t want to go all security on you, but a) security isn’t black-and-white i.e. it’s secure or not, and b) it’s only as good as the weakest link i.e. the human. So, training the user suddenly doesn’t make it secure (or not) and if a user can be foiled, security is effectively compromised if you are relying on training alone.

The implications of a security compromise? Well, that’s for another day, but fines and reputation damage are certain.

To compound the matter (read “make it easy to fool users”) there are a number of mobile app solutions on the market and healthcare organisations that use usernames and passwords as a means to secure mobile clinical apps and patient data. They even think that having MDM to protect their devices makes it secure.

Security that is based on username and password will never be secure enough, even with tons of cyber security training for users.

As the architect of Isosec’s mobile application platform, MIA, it is quite clear to me that the NHS Smart Card is the only effective way to protect mobile apps on tablet devices. NHS clinicians are very familiar with its use – it is two-factor – something I have (the card) and something I know (the passcode). MIA uses the NHS Smart Card to not only log users on to a tablet device, but to also strongly encrypt patient data on the device as well as being required to connect in to the clinical backend systems. Without the card, no access to patient data on the device or back at base. Get the passcode wrong three times then the data becomes inaccessible. MIA also has various timers that blank and lock the device so even if the user leaves the card in the reader, everything is still safe. If they lose the card, it can effectively be revoked, again everything remains safe.

So, given the weakest link user argument, we have taken the approach of using something very secure and familiar (the NHS Smartcard) and made the user experience very simple – we don’t rely on user’s infallibility.

Even when a user fails to follow basic precautions, MIA security takes over to protect patient data and backend system access.

The take-home is don’t be lulled in to a false sense of security – if you’ve got username/password protecting your clinical data and access with MDM “remote wipe” with really good user training, your pants are down, from a security perspective that is.

Finally, we have a smartcard solution for iPads (with a natty sleeve from Precise Biometrics) as well as NFC authentication on Android and Windows devices (as well as contact reader for devices that support it).

Keypad saying cyber security

New NHS smartcard to be introduced by HSCIC

A new smartcard is to be introduced in September 2015 by HSCIC. We have been contacted by a number of our customers asking about what impact this will have, if any, on Isosec products. We are seeking further details of the card specification from HSCIC and a sample of the new cards to assess the impact. However, all Isosec products work with a range of smartcards even beyond those used commonly within the NHS (legacy GPK 03 Gemplus, 04, 05 and 06 cards) and Isosec is committed to making all of our products work with such changes – either the new cards will simply ‘just work’ or we will issue new versions of any affected products.

HSCIC logo

Announcing our new team member – Jo Flynn

Well, it has been a long time since Isosec had a blog post but I’m sure you will be thrilled to know that this will now be a thing of the past. Our business and team is fast expanding and we are very excited to officially announce that our latest addition is Jo Flynn, 23 from Manchester who is Isosec’s new Marketing Executive.

As Isosec’s focus shifts from our legacy products to the revolution in healthcare IT that is mobile applications, Jo is currently focussing on how our latest venture, MIA Maternity, will be presented (and will no doubt feature on this very site before long).

However she has promised to update our blog more than bi-annually… So watch this space! You can also keep up to date on what Isosec are up to on Twitter @Isosec and on LinkedIn.

jo flynn marketing executive

Electronic Staff Record (ESR) access on an iPad Mini

I managed to grab a quick 60 second video showing MIA accessing ESR at one of the hospitals near us. One thing to notice is that ESR is a desktop application, designed to be driven with a mouse and keyboard. However, we could very easily turn this in to an ESR ‘app’ simply by creating a gesture driven front end using jQuery Mobile. This would mean it could be accessed on different form factors (such as an iPhone or Android Nexus 7, or my shiny new Samsung S5 ;). It could even work offline too.

Mobile Device Access to Summary Care Records

Using the Isosec Mobile Information Access platform called MIA, we are able to give access to Summary Care Records (SCR) on a mobile device. Using a standard NHS Smartcard and a device like a Google Nexus 7 with Near Field Communication, clinical users can logon with their NHS Smartcard and access to SCR either in an Acute Hospital setting using the hospital wifi or for Community Services on 3G  (without the need for additional smartcard reader hardware).

This means that a device that costs less than £200 can provide a very cost effective way to access to SCR in a highly mobile way. If iPad or iPod touch is your preference, then it can also work on these devices with a smartcard sleeve.

I’m interested to know who might find this useful and in what clinical setting…

This is what it looks like on a Nexus 7 – the user is asked to login with the NHS Smartcard:

Screenshot_2014-02-28-11-00-43

On a Nexus 7, placing the NHS Smartcard on the NFC reader on the back of the device brings up the Passcode prompt:

Screenshot_2014-02-28-11-00-17
Once logged on, and Summary Care Records selected, you’re in!

Screenshot_2014-02-28-11-02-32

 

Let me know what you think.

Marc.

New version of iO released – v1.0.2341

There is a new version of iO available for all customers on support. It contains a small number of enhancements and fixes. To receive an update, contact support at isosec.co.uk.

In summary, the changes are:

Enhancements

– Blanking, locking and logout timers (aka Callisto functionality)
– Minor internal improvements and speedups
– User is now warned properly about expired certificates

Fixes

– Very rarely, removing and re-inserting the card failed to recognise the card insertion.
– Fixed XP install issue – now installs correctly

The main enhancement is the inclusion of screen blanking and locking (which was previously a separate product, known as Callisto). This is intended for newer Windows 8 (yes, I know some of you might still be struggling to get to Windows 7 :)) tablet devices and also intended for some desktop configuration scenarios too.

The idea is that you can authenticate with your smartcard using the NFC capability of the new version 05 cards or with a built in contact reader, and then remove the card from the reader and still remain authenticated, except now the screen will blank after a period of inactivity. After a further period of inactivity, the screen will then lock requiring either the passcode or smartcard to be represented. Again, after a further period of inactivity the use will be de-authenticated from the Spine and Spine applications will be logged out and closed.

New version of iO Identity Agent released!

I’m very pleased to announce we have released a new version of iO – version 1.0.2197. Our development team has been working hard and we’ve been listening to our customers. It contains a number of bug fixes, enhancements and support for new platforms. If you would like to upgrade your version or sign up for a trial version, please contact support at isosec.co.uk.

We will continue enhancing and improving iO and will be announcing a new version of our MIA (our Mobile Information Access platform) soon too!

In summary, this is what’s new in iO:

  • Removed the dependency on GemAlto’s Classic Client Libraries which has dramatically improved the authentication speed especially in VDI environments
  • Customisable text that appears in the passcode dialogue
  • Fixed a couple of rare occurrences of “Certificate Not Found” on card insertion
  • Fixed a few issues around a card being locked out
  • Support for customisable oversized dialogues for tablet devices
  • Dialogues correctly focussed on card insertion
  • Various optimisations and speed-ups on authentication speed
  • New flag to launch a process or processes on card removal
  • Better support for NFC devices such as the Lenovo Tablet 2
  • Improved system tray dialogue options to show the version and change the log level
  • Fixed iGel (and other terminal devices) smartcard issue when connecting to VDI environments
  • Introduction of io.cfg to control behaviour of iO
  • Reduction in the installer size
  • Fixed an issue with multiple readers when using AGFA PACS

 

Over 10k users of iO Identity Agent!

After the re-launch of iO with integrated Spine Session Persistence, we now have over 10k clinical users of iO for authenticating to the NHS Spine to get access to clinical applications – this is quite some landmark for us but it is just the beginning!

Part of our Identity Agent service service collects anonymous statistics about the number and frequency of authentications. The really interesting part of this is that we will soon be able to quantify the benefit that a Trust gets with Spine Session Persistence (through not having to log back on to the Spine each time a clinician re-connects to their desktop session). This ability will also extend to our Mobile Information Access (MIA) portal. We’ll then be able to measure how mobile and desktop usage changes going forward.

Interestingly, Spine authentications peak over the middle 3 days of the week in general. I’m interested to see how these figures evolve as we add more Trusts and clinical users over the coming months.

Perhaps I’m a ‘numbers’ geek now too!