Prescribing is one of the most time consuming and wasteful processes in the NHS, costing the NHS over an estimated £300 million each year. With ePrescribing processes, this is made much faster and easier, yet there is still room for improvement to speed things up and make life easier for prescribers, especially with the increase in remote consultations and remote site working due to the pandemic.
ePrescription digital signing and Spine authentication is now made much simpler and faster with Isosec’s NHS Digital accredited Virtual Smartcard service. In this article, Marc Poulaud, CTO and Co-Founder of Isosec, discusses how the current Electronic Prescription Service has been working, the challenges with the process and how Virtual Smartcards can now be used to improve the overall experience, benefitting both clinicians and patients.
How does the ePrescription Service (EPS) currently work?
ePrescribing is the process by which a clinician who has a prescribing role can use a clinical system (such as EMIS) to complete a prescription for a patient – typically done in a GP surgery. To issue a prescription the GP usually has a physical smartcard in their keyboard smartcard reader when this is done. The prescription is then digitally signed using the GP’s smartcard – the process that’s replaced a GP physically signing a paper prescription – identifying the GP and authorising the prescription. Once a prescription is digitally signed by the GP it gets sent to the centralised EPS (Electronic Prescription Service) where it is checked and then sent to a dispensing system for processing resulting in a patient collecting their medication.
Why is a smartcard used during ePrescribing?
A smartcard enables a digital signature which does two things – it establishes the identity of the clinician who signed the prescription and also establishes that the prescription has not been tampered with. With a paper prescription, it’s easier for errors to occur due to manual errors, or someone to masquerade as a GP and issue a prescription for anyone for any drug.
In order for smartcards to be used for ePrescribing a special type of signature is required – known as AdES (Advanced Electronic Signature). This has some specific legal and technical requirements to ensure that the keys used to sign are very well protected and that the use of the key is under the sole control of the clinician doing the prescribing.This means that the signing key is generated and held in the chip on the smartcard – it never leaves there. It also means the clinician needs to physically enter a passcode or PIN in order to sign a prescription.
How does the smartcard digital signature do this?
Basically, all the data of a prescription (GP identity, patient identity, drug details etc) is what is known as computationally hashed – this is a unique fingerprint of the prescription represented as a string of bits. Think of your fingerprint – you produce your fingerprint which identifies you but this alone is not sufficient to create an actual ‘you’ – much like a hash cannot be used to recreate the original prescription. However, change the prescription or you, and the hash or fingerprint changes. This is important because it establishes if the prescription has been tampered with or not.
The hash of the prescription is then sent to the smartcard to be digitally signed – but before this the clinical system will prompt the clinician for their smartcard passcode, which is used to log in to the smartcard before the signature is allowed. The smartcard does some crypto magic using a private key on the hash and, hey presto, the digital signature is generated on the smartcard and then sent back to the clinical system. This digital signature contains the GP’s identity too.
This process uses 2FA (Two Factor Authentication) – the physical smartcard (something you have) and the passcode (something you know).
How does ePrescribing work with a Virtual Smartcard?
It pretty much happens in the same way, but with some slight differences.
The Isosec identity agent connects the clinician’s machine to the Isosec virtual smartcard service which virtualises their smartcard and reader as though they were actually physically connected.
When the clinician comes to issue a prescription in the clinical system, the prescription hash is redirected to the clinician’s smartphone app where the clinician is required to provide a PIN or biometric before it is signed with a key protected by a chip on the phone.
Are Virtual Smartcards approved for use in the NHS?
NHS Digital has now accredited Isosec Virtual Smartcards on the Virtual Smartcard Assurance Framework. This framework ensures that any virtual smartcard solution meets a set technical, operational and security requirements, which includes AdES for ePrescribing. At Isosec, we’re really proud to be the first approved Virtual Smartcard on this framework.
You can find out more information on the Framework in our announcement here.
You can also find the announcement on the NHS Digital website here.
Why is a Virtual Smartcard better than a Physical Smartcard?
Virtual Smartcards ultimately make life easier for clinicians as they’re not reliant on carrying a physical smartcard or card reader anymore. They can use the Virtual Smartcard authenticator app on any mobile device they choose, and use their Virtual Smartcard straight from their phone or tablet. This is especially useful as virtual desktop infrastructure is increasingly replacing traditional desktops, and clinicians are working more remotely due to the Covid pandemic climate.
The advanced signature also allows for bulk signing, which makes for time and efficiency savings for clinicians too.
Being cloud-based and system agnostic, Virtual Smartcard works seamlessly with all clinical systems such as EMIS, SystmOne, Adastra. So, there’s no configuration for NHS organisations or investing in onsite equipment to maintain smartcards or authentication.
