5 Unsafe Workaround Tactics With The NHS Smartcard

Isosec and the NHS Smartcard

Okay, firstly there will be no naming and shaming here, so if you were hoping to see organisations with poorer processes than yours, shame on you. Cybersecurity is no joke, especially when it comes to the NHS smartcard and protecting patient data.

What we are going to share are five very real examples of unsafe working practices involving NHS Smartcards.

We’ve been working with the NHS for fifteen years now and originated from an IT security background around smartcards and secure authentication. We have over 40,000 iO users (our smartcard identity agent) and as a result have seen thousands of local use-cases for the NHS smartcard, some hugely successful… some not so much.

If you’ve somehow wandered here by accident and aren’t sure what we’re talking about, NHS smartcards are similar to chip and pin cards that allow our healthcare professionals here in the UK to access the patient information that’s relevant to their role.

Here’s five ways we’ve seen organisations abuse the power of the NHS smartcard.

 

 5 Unsafe Workaround Tactics With The NHS Smartcard

  1. Passcode strength – Pretty obvious one to start with, but setting a secure passcode really is important! We’ve had people volunteer that their passcode is ‘passcode’,‘1234’, even ‘doctor’. It may be quicker to type 1234 in a hurry, but it belittles the whole authentication process if you fail to keep your personal security standards high.
  2. Card sharing – Again, it might seem easy enough to pass your card onto a colleague when they’re in a hurry, but it’s hard to criticise cybersecurity standards of an organisation if individuals don’t adhere to explicit security processes.
  3. Leaving a cut card in a reader – Possibly the worst offender on this list, but sadly we have seen it in action! The explanation we were given was that Information Governance colleagues would regularly walk around and check on how things were running. In order to avoid detection of card sharing whilst still having quick shortcut access, one card was left in a reader and then cut off, so IG couldn’t see the card in the reader or even know that the behaviour was going on.
  4. Robot smartcards – By having a machine with a smartcard permanently in a reader which automatically logs in with a fixed passcode poses an IG risk and most trusts are completely oblivious to this. Our analytics dashboard highlights this behaviour straight away so it’s not something we see with iO.
  5. Single sign on passcode manager software – By using software to remember your passcode and have it key them in for you, you’re no longer using two-factor authentication, you take the security level down to just one factor, which doesn’t adhere to NHS security standards and doesn’t stop someone else jumping on your card should they pick it up.

 

What Can You Do About It?

Some people don’t think NHS smartcards are the best and from the list above it’s clear to see that there is some education around the issue of cybersecurity to be done generally. It’s a strong case for how sometimes poorly managed technology can hinder users rather than benefit them, but sadly there are often unsafe workaround tactics like these that harbour high risk behaviour.

However, we think when smartcards are used properly they do the job for the NHS and we’ve even developed ways to maximise the security and efficiency with them.

From our experience with IT departments in the NHS we listened to these extensive issues some Trusts have with the smartcard. From there we expanded our iO identity agent capability and iO Virtual Smartcard was created. There are a wealth of benefits to using our Virtual Smartcard product, but most importantly we built it to maximise the security around authentication whilst still addressing the user issues we have witnessed along the way.

By creating an innovative technology that meets both the practicality of everyday working practices as well as high-level security standards we hope to further the efficiency of the NHS whilst still maintaining the necessary safeguarding of patient data in the modern world.

NHS smartcard cybersecurity image of padlocks and code

To find out more about how to avoid these high risk behaviours in your organisation you can download our Virtual Smartcard brochure or watch our explainer video on our website.

The WannaCry ransomware and how it (doesn’t) affect us

There’s been a great deal in the news over the past few days about the already infamous “WannaCry” (AKA “WannaCrypt”, “WanaCrypt0r”, “Wanna Decryptor” etc.) malware that’s spread like wildfire across the world, most notably infecting numerous NHS trusts. You may not already know that Isosec was built from a security background, we have cybersecurity expertise spanning 50 years. With this in mind we thought we’d let you know just what on earth is going on, how it might affect you, and how it, thankfully, doesn’t affect Isosec (despite the similarities in the name of other companies involved!).

What is it?

First and foremost we go onto the question that’s on most people’s minds; just what exactly is this thing? Well, “WannaCrypt” is a type of malware (malicious software) known as “ransomware”, which is software that will encrypt all of your most important files and folders, and then quite literally hold them ransom, asking you to make a payment in order to decrypt them for use (which more often than not is the worst possible thing you can do).

Now that the technical jargon is out of the way, a practical example. You receive an email with an attachment, you open this attachment and it runs a program on your computer, this program locks away all of your files with a password you don’t know, and then demands a sum of money in return for that password. Sound bad? It is! Ransomware has been around for many years in various forms, but what’s getting worse is not so much the programs themselves, but the way in which they spread.

In the case of “WannaCry”, the evidence thus far suggests that it’s capable of spreading across the entirety of a local network with ease, infecting every other computer on the network that isn’t up to date enough to protect against the vulnerability. Now if the “not up to date” part of that spiked your interest, that’s for good reason…

Staying safe

Whilst the usual security principles come into play here – always run an active anti-virus and keep a malware scanner to hand, don’t open unknown attachments, stay away from unfamiliar websites etc. – there is one that rises above all others in terms of importance; keep your computer up to date. The vulnerability in Microsoft’s Windows product that allowed the “WannaCry” attack to take place was fixed back in March of this year, meaning that the average computer was already safe by the time the attack began. But if you don’t regularly update – and don’t have automatic updates switched on – then you were, and possibly still are, at risk.

How this (doesn’t) affect Isosec

Due to the nature of Ransomware, attacks such as these are unlikely to affect us as a company. Our internal security policies keep us out of harms reach, and the fact we ship software rather than hardware means we’re not in the crosshairs of these sorts of attacks. But that doesn’t mean we can wash our hands of any responsibility, instead, it’s important to look at how we can help you to prevent these problems from happening.

Let’s use MIA Maternity as an example. MIA Maternity is completely offline-capable, and while that’s important for midwives who use our software in areas of limited or no connectivity, it’s even more important when a large scale cyber attack such as this one occurs.

This is because even though the Trust owned servers that hold the all important patient data might be compromised, the mobile devices remain functional, with a recent copy of all the patient data required to work. Midwives can continue to work without issue, and patient care isn’t compromised. Better yet, there’s no need to revert to older paper-based backups, midwives can continue to enter data into MIA Maternity, and it will be sent back to the server once the issue has been resolved by the Trust.

 

Here at Isosec we take security very seriously. It’s baked into how we make software, and is something on the minds of everyone here constantly.

Introducing: iO Virtual Smartcard

Isosec’s iO Virtual Smartcard

We’d like to introduce the latest innovation from Isosec – iO Virtual Smartcard, the smart NHS identity agent.

Virtualising your NHS smartcard into the cloud means you can access it using a more convenient form of authentication, like your smartphone. iO Virtual Smartcard works with your NHS issued HR card, an RFID tag or even a biometric like your thumbprint.

With iO Virtual Smartcard you can walk to up to any desktop, scan a QR code with your smartphone, enter the passcode and you’re authenticated to use clinical applications.

Cool, right?

iO Virtual Smartcard by Isosec

Challenges without iO Virtual Smartcard


iO Virtual Smartcard addresses problems the NHS is currently facing with managing smartcards.

Smartcards are issued from your Trust’s Registration Authority (RA). Issuing physical cards takes a long time and requires expensive specialist printers for production.

Junior Doctor Intake
Taking on a new cohort of junior doctors, for example, becomes a logistical and resource-intensive undertaking. RAs travel to different locations to process new starters where they set up the RA system and printer and process each doctor one by one.

Agency Workers
A common approach with Agency Staff is to issue generic smartcards and distribute them across departments. When needed by an agency worker, a manager has to reset the passcode of an existing ‘pool’ card and update a spreadsheet with the agency worker’s details. After the shift is over, that agency worker should hand the card in. The manager then has to repeat the process of deregistering the card and updating the spreadsheet.

This process is inefficient and high risk for your Trust. In clinical system records, for example, details often read “Agency Worker 31291” instead of the specific agency worker’s name. This is usually resolved by reverting back to the spreadsheet for clarification, assuming the process was followed and records are up to date.

This longwinded process for a simple task creates a serious Information Governance issue and wastes valuable staff time that could be better spent elsewhere.

Smartcard User Woes
Smartcards can be a general inconvenience post-registration, especially if you accidentally lock your card. When this happens, you probably have to track down the RA, which may be on a different site or even unavailable in the middle of the night. You sit together whilst the RA unlocks your card. This re-registration is at least 30 minutes of valuable clinical time lost.

Isosec Virtual Smartcard QR Code Desktop

iO Virtual Smartcard


Isosec’s iO Virtual Smartcard leverages the strength of the existing RA process and eliminates the inefficiencies illustrated above. Known as eGIF Level 3, Virtual Smartcard mandates a strong identity check of the person requesting a smartcard.

  1. Once the user’s identity is asserted, the RA issues a virtual smartcard instead of a physical one. The virtual card is created in the Virtual Smartcard Cloud.
  2. The user downloads the Virtual Smartcard Authenticator App on their smartphone straight from the app store.
  3. The RA enrols the user’s smartphone for use with the virtual smartcard using a QR code displayed on their virtual smartcard portal.
  4. The user scans the QR code with the Virtual Smartcard App, enters their passcode on the smartphone and they are enrolled and ready for use… It’s as easy as that!

iO Virtual Smartcard using a smartphone
After the Virtual Smartcard is set up as above, it’s ready for everyday use. The user simply clicks Login on the iO identity agent on any workstation: Scan the QR code with the Virtual Smartcard app, enter passcode and authentication completes. iO will also launch any Spine clinical applications if configured to do so.

Please note that this is still two-factor authentication – something the users knows (the passcode) and something they have (the enrolled smartphone).

A user can still insert a physical smartcard if they wish – iO works with both physical and virtual smartcards.

Using the Virtual Smartcard using an HR card
Alternatively, an HR issued NFC card can be enrolled for use with the user’s Virtual Smartcard. In much the same way that a physical smartcard can be used with NFC, as can the HR card.

Self Service
Virtual Smartcard can be reset using self-service to avoid previously mentioned issues surrounding locked cards. After visiting the Self-Service Portal, a user enters their NHS email address to which a reset link is provided. The linked page asks the user to answer at least two security questions specified during the registration process. This allows the Virtual Smartcard to be unlocked and the passcode reset.

Each reset saves approximately 30 minutes and can be done whenever, wherever.

Security
As the Virtual Smartcard is held in the cloud, there is nothing to physically lose, share or leave in a reader. The Virtual Smartcard technology is improving a previously complex process, so compliance and risk are greatly improved. Users no longer have to battle the technology to do their jobs, they work productively together.

Analytics
The Virtual Smartcard Cloud service is built into the Isosec cloud-based analytics platform. With Virtual Smartcard it is easy to track when, where and how each Virtual Smartcard is used. This enables Trusts to learn from best practice and identify where any issues may arise. It also provides a rich set of data on how Spine applications are used; data which has not been readily available before. Isosec Analytics also enable Information Governance audits at the touch of a button.

Benefits

  • Enables the use of devices that don’t have a Smartcard reader e.g. an iPad using a virtual desktop client, or users working from home
  • Simple to adopt, solving the Information Governance issues with agency staff, bank smartcards and lack of traceability
  • No generic cards in the wild
  • Audits and analytics available at the touch of a button
  • Enables rapid access to systems for new starters or temporary/agency staff once they have a virtual card – managers can authorise their access via a management console
  • Provides a much improved user experience by enabling self-service reset of passcodes, thereby avoiding periods where cards are locked and can’t be reset due to unavailability of RAs

Future Use
Future plans for iO Virtual Smartcard include using other authentication methods. We are always looking to improve the iO Identity Agent and RFID tags and biometrics (e.g. fingerprint and iris) will be added. Authentication methods will be policy driven by individual Trust preference.

Using Virtual Smartcard for other purposes is also under consideration, like the possibility of Two Factor Authentication (2FA) for remote access over the public internet. Virtual Smartcard streamlines the authentication process by using a single two factor authentication from any device for internet access, Windows AD logon and Spine authentication for access to clinical apps.

Release Date
A number of pilots began in April 2017. A full case study with benefits realisation and business case process will be available soon. To register your interest and request a demo please visit our website or email info@isosec.co.uk and quote this blog. Virtual Smartcard will be readily available to all existing and new iO customers from June 2017. Please visit www.isosec.co.uk to download the iO brochure for information on our other Identity Agent software. You can keep up to date with the release by following us on Twitter @isosec.

Exclusive Free Trial of MIA Maternity for RCM Conference 2016

The Royal College of Midwives Annual Conference is one of the biggest dates in our diary. Last year we met so many amazing people, all striving to improve care in Maternity departments in the NHS. This year we’re rewarding those people with an exclusive free trial of MIA Maternity.

Isosec strive to improve the working lives of Midwives with MIA Maternity, the mobile app that replaces inefficient paper processes. MIA reduces admin, travelling and as well as using that time to improve patient care, it also ensures MIA Midwives get home on time! We’ve decided to make your RCM Conference 2016 even more special… We are (very!) excited to officially announce that we are offering an exclusive free trial of MIA Maternity to attendees of the RCM Annual Conference 2016!

This includes the tablet devices, the process redesign to get MIA configured exactly to your working practices and a short pilot period*.

rcm-oct-newsletter-ad

Do you think this sounds like a good idea, but aren’t sure how it could work in your Trust? Or perhaps you need solid evidence of the benefits to having mobile midwives?

Imperial College Healthcare NHS will be showcasing their digital transformation journey with MIA at 12.10 on Day 1. Come along to discuss the benefits of a more efficient workforce through the use of mobile technology.

Midwives from Imperial College Healthcare NHS and our Co-Founders will be on Stand 17 both days to answer any questions you might have.

We are proud sponsors of the RCM Conference App this year so be sure to download it to plan your conference and read more about Isosec.

RCM exhibitor 2016 MIA maternity

Why not follow us on twitter @isosec to keep up with us before the event starts? We’ll be live tweeting from the event using #RCMConf16 and also posting some great tips and tricks from our MIA Midwives on #MIAMidwives.

If you would like any more information or to arrange a meeting at the RCM Conference or otherwise, please email info@isosec.co.uk or use the contact form on our website.

We’re really looking forward to meeting everyone, see you there! 

RCM conference 2016 MIA free trial

*Isosec terms and condition apply.

New NHS Tariff System Offers Good News For Maternity

“Tariff proposal would see maternity spend increase by 8 per cent” Esther Oxford, Health Service Journal, 2nd August 2016

 

The recent HSJ article suggests that with the newly proposed NHS tariff system spending on Maternity could increase by £221M, a total increase of 8.3%.

Under existing policy, providers are paid according to which care pathway an expectant mother is assigned to. In order to assign pregnant women to the right care pathway, clinicians identify which “clinical complexities” and co-morbidities a woman may develop prior to birth. Women are they then assigned according to the NHS tariff system as standard, intermediate or intensive care pathways, with trusts paid more for the most complex cases.

As a result of the new tariff system, the proportion of women put on pathways providing intensive care is expected to rise from 7.1% of expectant mothers to 11.3%, while 38.7% of women on maternity pathways will be classed as intermediate – up from 27.3% at present. Consequently the proportion of women put on maternity pathways classed as standard – the least expensive tariff – is expected to fall from 65.5% to 50%.

This is great news on the surface but in Isosec’s experience from working closely with Imperial College Healthcare NHS midwives is that the allocation of mothers to the correct category was not always given the attention it warranted. Consequently Trusts were missing out on a large amount of funding (and exposing themselves to potential risk). When the MIA Maternity app was adopted at Imperial College Healthcare NHS the data showed percentages of mums allocated to each category were far from NHS national averages. Senior midwives could soon see that there were some issues with the process (too many women being allocated almost by default to the standard category) and now provide education to their midwives to ensure that (approximately) £170k of potential additional income is recovered.

The moral of this particular piece is that although the message is inherently positive and should be applauded, data must be available to ensure that the correct costs are recovered. This is just one example of data that is very difficult to collect and evidence with paper processes and where using mobile devices will improve the system. MIA collects, evidences and analyses all data passively and presents it as part of our analytics dashboard, so a Trust can easily drill down into their own data and identify any areas for improvement. As the renowned statistician W. Edwards Deming said, “Without data you’re just another person with an opinion.”

NHS signage new tariff system

If you think your Trust or organisation may be missing out on revenue because of inefficient paper processes or loss of data please visit our website or arrange a MIA Maternity demo to find out more.

 

Oxleas NHS Foundation Trust mobilise their community workers with solution from Isosec and Partners

Mobile app solution ‘MIA’ from Isosec means Oxleas NHS clinicians can reduce unproductive admin and travel time to be better spent on patients.

Oxleas NHS Foundation Trust has been working on providing community based staff with the ability to access and update clinical records securely, whilst working remotely.

Geographically, Oxleas covers over 125 sites across the London Boroughs of Bexley, Bromley, Greenwich and into Kent, so mobile working is crucial to improving patient care whilst maximising efficiency and productivity.

The partnership solution between Isosec’s MIA, Servelec’s RiO and Precise Biometrics’ smartcard reader has allowed the Trust to become the first NHS organisation in the country to use the mobile working solution on an iOS platform. This provides safe and secure remote access for clinicians.

The mobile solution reduces the need for clinicians to come into base to gather and update records as they now do this directly on their tablet device.

“My ability to be out and about for most of the day certainly benefits my patients. Rather than having to come back to pick up information, to get addresses or phone numbers, I can be much more responsive.” – Daniel Baptiste, Enteral Feeding Specialist Dietician, Oxleas NHS Foundation Trust

Additional benefits include:

  • Minimising unnecessary travel time and expenses
  • Reducing duplication of administrative tasks
  • Costs recovered from reducing unproductive tasks
  • Maximising data quality by supporting digital working
  • A paperlite service
  • Time gained now spent on patient care
  • Isosec Analytics provides real time usage data to measure success

Oxleas have over 1,000 users with plans to extend the service provision to several hundred more. This makes Oxleas the first Trust in the country to use the partnership solution at scale.

You can watch the Oxleas case study video or download the white paper from www.isosec.co.uk to hear users talk about the solution in more detail. If you would like to request a MIA demo please visit the website or contact info@isosec.co.uk.

Oxleas Pinewood House

Isosec fundraise for baby charity Bliss

Isosec will be taking on the ‘90,000 Challenge’ in September to raise money and awareness for baby charity Bliss, who care for babies born too sick or too soon.

Every year, 90,000 babies are admitted to hospital for specialist care – many of these babies will need lifesaving intensive care. Baby charity Bliss is there for these little ones by empowering their families and working with health professionals to ensure they have the best care possible. Bliss also supports over £10 million of research to make a lasting difference to the lives of premature and sick babies, and fights for their rights within the government and NHS.

Isosec have committed to walk a foot for every single one of the babies born premature in one year. That’s over 17 miles, which we will be trekking around the Peak District in September.

Isosec will also be holding a 90,000 step week challenge and bake sale at our Bruntwood office Blackfriars House in Manchester over the coming months to raise more awareness and funds for Bliss. Check back here or email info@isosec.co.uk for more information on how to take part. If you manage to hit the 90,000 target you could even be eligible for free cake!

Please donate as much or as little as you can for this worthy cause and help us to take a step for babies in need. You can sponsor us here and donations will be quickly processed and passed to Bliss. Virgin Money Giving is a not for profit organisation and will claim gift aid on a charity’s behalf where the donor is eligible for this.

Bliss sponsorship banner

Isosec really appreciate all your support and thank you for any donations.

Award-winning CMFT team using MIA Infant Feeding app

Central Manchester Children’s Community Services: Health Visiting Infant Feeding Team are winners of the Journal of Health Visiting 2016 Award for ‘Best practice in promoting and maintaining breastfeeding’ and have chosen clinical mobile app MIA from Isosec

The national award is in recognition of the work the Infant Feeding team have done to support women in Manchester to breastfeed their babies when presented with complex or ongoing challenges. By offering a home visiting service for clients experiencing urgent feeding difficulties and delivering community sessions for ongoing feeding challenges the team are able to ensure women are given every opportunity to maintain their chosen feeding method and feel confident they receive support when they really need it alongside the ongoing care from their named Health Visitor.

The team has chosen to work with Isosec and adopt the MIA Infant Feeding app to ensure that not only are we able to capture data relating to specific types of referral with measurable outcomes, but we also make best use of client feedback that has been inbuilt into the process. Our client voice is very important to us and by collecting information around performance as well how it has impacted on the relationship between mother and baby, we feel we will be able to ensure our commissioners and service leads feel confident in our ability to provide a quality and effective service.

Our Trust values are at the heart of everything we do and we are working with Isosec to ensure MIA provides us with the opportunity to showcase our hard work.

To read the CMFT Case Study or to book a MIA demo please visit www.isosec.co.uk.

IMG_0533

cmft logo

Winners of HSJ Value Awards 2016

Health Service Journal Awards 2016 reveal Isosec Ltd. didn’t win this time in the Obstetrics and Gynaecology category for their mobile app MIA Maternity.

Isosec would like to congratulate St George’s University Hospitals Foundation Trust for their win in the HSJ Award in Obstetrics and Gynaecology recognising Value in Healthcare. Congratulations to Wrightington, Wigan and Leigh Foundation Trust who were highly commended in the category. Isosec was also nominated recognising the success of MIA Maternity at Imperial College NHS in London. It was the third high profile awards nomination for MIA Maternity in the past year.

hsj_awards_finalist

Marc Poulaud, Co-Founder of Isosec says, “As a company focussed upon delivering solutions that improve patient outcomes, it’s great even to have been nominated so many times for the work we’re doing. The team at Isosec and Imperial look forward to seeing what exciting opportunities MIA Maternity will bring us in the near future.”

Kathy Lanceley, Deputy CIO at Imperial College NHS added, “Working with Isosec has been an absolute revelation. They’ve been responsive to everything we’ve needed; we’ve really learnt how we can do this together. Their maternity solution that we’ve deployed is unique and it’s the first time that our midwives, and probably any others, have had a solution that’s really designed around their working practices, it’s a tailor made fit and they’re very happy.”

The midwives at Imperial have found numerous benefits to using the MIA Maternity app, such as an increase in breastfeeding mothers, an increase in staff satisfaction, decreasing staff sickness, increased data quality and having more time to spend on patient care.

To request a MIA demo please contact us on info@isosec.co.uk or to find out more about the winners HSJ Awards 2016 please visit: www.hsj.co.uk.

 

A Day with Mobile Working in the NHS

Alice the midwife with MIA on tablet device

Alice the midwife with MIA on tablet device

First thing in the morning Alice launches the MIA Maternity app on her iPad and connects to a network while she’s having breakfast at home. MIA automatically synchronises all patient and observations data from her team as well as Alice’s appointment list for the day. This takes seconds. Alice can easily flick back through patient notes so she is up to date with them before she visits their house. Alice can then pack the iPad away and start her day, without needing to go into the community hub where she works.

MIA Maternity knows the location of each mother and baby and will automatically display the nearest patient based on proximity to Alice using GPS which saves her having to search for each patient address as well as being more efficient with fuel.

Whilst with mum, observations are recorded straight into MIA on the iPad, together with the patient’s next appointment or discharge details if applicable. A dashboard highlights whether a Pathway form must be completed, together with reminders for time-constraint items such as Newborn Bloodspot Screening Tests. The observations are done with intuitive drop down menus and toggle selections, rather than having to write everything up, this increases the data quality, as all of Alice’s team will use the same standards, rather than having to read through pages of written notes. There is also a place for typing should any notes be absolutely necessary.

If Alice visits a patient in a rural area or somewhere without any signal there is no compromise to what information she can input, the functionality of MIA is the same. MIA will alert Alice when it is working offline, and keep track of how many records have been input since the last synchronise. This encourages Alice to keep MIA up to date so it can push all of the data straight back into the hospital’s internal data system- all without an administrator having to duplicate Alice’s work and typing up handwritten notes!

Alice the midwife using MIA offline

Alice the midwife using MIA offline

Each midwife in the team has access to all patient information for that team so can quickly review notes for any patient. So any information Alice inputs to MIA will be available for the whole team to see, most importantly for the next midwife who comes to visit mum and baby. This is particularly helpful if someone is on holiday or off, anyone else in the team can easily pick up on the important information.

At the end of the day Alice can go online anywhere with a secure data connection and MIA automatically synchronises all patient records, pathway forms, observations and appointments. After just a few seconds the synchronisation is complete and the iPad can be packed away or used normally as a personal device – as no NHS data can be accessed without Alice’s NHS smartcard.