Isosec’s Virtual Smartcard
We’d like to introduce the latest innovation from Isosec – Virtual Smartcard, the smart NHS identity agent and identity and authentication management solution.
Virtualising your NHS smartcard into the cloud means you can access it using a more convenient form of authentication, like with your smartphone. Virtual Smartcard works with your NHS issued HR card, an RFID tag, push notifications, a one-time passcode or even a biometric like your thumbprint.
Challenges without Virtual Smartcard
Virtual Smartcard addresses problems the NHS is currently facing with managing identity and physical smartcards.
Smartcards are issued from your Trust’s Registration Authority (RA). Issuing physical cards takes a long time and requires expensive specialist printers for production.
Junior Doctor Intake
Taking on a new cohort of junior doctors, for example, becomes a logistical and resource-intensive undertaking. RAs travel to different locations to process new starters where they set up the RA system and printer and process each doctor one by one.
A common approach with Agency Staff is to issue generic smartcards and distribute them across departments. When needed by an agency worker, a manager has to reset the passcode of an existing ‘pool’ card and update a spreadsheet with the agency worker’s details. After the shift is over, that agency worker should hand the card in. The manager then has to repeat the process of deregistering the card and updating the spreadsheet.
This process is inefficient and high risk for your Trust. In clinical system records, for example, details often read “Agency Worker 31291” instead of the specific agency worker’s name. This is usually resolved by reverting back to the spreadsheet for clarification, assuming the process was followed and records are up to date.
This longwinded process for a simple task creates a serious Information Governance issue and wastes valuable staff time that could be better spent elsewhere.
Smartcard User Woes
Smartcards can be a general inconvenience post-registration, especially if you accidentally lock your card. When this happens, you probably have to track down the RA, which may be on a different site or even unavailable in the middle of the night. You sit together whilst the RA unlocks your card. This re-registration is at least 30 minutes of valuable clinical time lost.
Isosec’s Virtual Smartcard leverages the strength of the existing RA process and eliminates the inefficiencies illustrated above. Known as eGIF Level 3, Virtual Smartcard mandates a strong identity check of the person requesting a smartcard.
- Once the user’s identity is asserted, the RA issues a virtual smartcard instead of a physical one. The virtual card is created in the Virtual Smartcard Cloud.
- The user downloads the Virtual Smartcard Authenticator App on their smartphone straight from the app store.
- The RA enrols the user’s smartphone for use with the virtual smartcard using a QR code displayed on their virtual smartcard portal.
- The user scans the QR code with the Virtual Smartcard App, enters their passcode on the smartphone and they are enrolled and ready for use… It’s as easy as that!
Virtual Smartcard using a smartphone
After the Virtual Smartcard is set up as above, it’s ready for everyday use. The user simply clicks Login on the iO identity agent on any workstation: Scan the QR code with the Virtual Smartcard app, enter passcode and authentication completes. iO will also launch any Spine clinical applications if configured to do so.
Please note that this is still two-factor authentication – something the users knows (the passcode) and something they have (the enrolled smartphone).
A user can still insert a physical smartcard if they wish – the software works with both physical and virtual smartcards.
Using the Virtual Smartcard using a HR card
Alternatively, an HR issued NFC card can be enrolled for use with the user’s Virtual Smartcard. In much the same way that a physical smartcard can be used with NFC, as can the HR card.
Virtual Smartcard can be reset using self-service to avoid previously mentioned issues surrounding locked cards. After visiting the Self-Service Portal, a user enters their NHS email address to which a reset link is provided. The linked page asks the user to answer at least two security questions specified during the registration process. This allows the Virtual Smartcard to be unlocked and the passcode reset.
Each reset saves approximately 30 minutes and can be done whenever, wherever.
As the Virtual Smartcard is held in the cloud, there is nothing to physically lose, share or leave in a reader. The Virtual Smartcard technology is improving a previously complex process, so compliance and risk are greatly improved. Users no longer have to battle the technology to do their jobs, they work productively together.
The Virtual Smartcard Cloud service is built into the Isosec cloud-based analytics platform. With Virtual Smartcard it is easy to track when, where and how each Virtual Smartcard is used. This enables Trusts to learn from best practice and identify where any issues may arise. It also provides a rich set of data on how Spine applications are used; data which has not been readily available before. Isosec Analytics also enable Information Governance audits at the touch of a button.
- Enables the use of devices that don’t have a Smartcard reader e.g. an iPad using a virtual desktop client, or for users working from home
- Simple to adopt, solving the Information Governance issues with agency staff, bank smartcards and lack of traceability
- No generic cards in the wild
- Audits and analytics available at the touch of a button
- Enables rapid access to systems for new starters or temporary/agency staff once they have a virtual card – managers can authorise their access via a management console
- Provides a much improved user experience by enabling self-service reset of passcodes, thereby avoiding periods where cards are locked and can’t be reset due to unavailability of RAs
Future plans for Virtual Smartcard include using other authentication methods. We are always looking to improve the iO Identity Agent and RFID tags. Future authentication methods will be policy driven by individual Trust preference.
Using Virtual Smartcard for other purposes is also under consideration, like the possibility of Two Factor Authentication (2FA) for remote access over the public internet. Virtual Smartcard streamlines the authentication process by using a single two factor authentication from any device for internet access, Windows AD logon and Spine authentication for access to clinical apps.
A number of pilots began in April 2017. A full case study with benefits realisation and business case process will be available soon. To register your interest and request a demo please visit our website or email email@example.com and quote this blog. Virtual Smartcard will be readily available to all existing and new iO customers from June 2017. Please visit www.isosec.co.uk to download the iO brochure for information on our other Identity Agent software. You can keep up to date with the release by following us on Twitter @isosec.