Virtual Smartcard

Virtual Smartcard virtualises the physical NHS smartcard into the cloud. This means users can access their clinical workspace and applications using a more convenient form of authentication like a One Time Passcode, a QR code, a HR issued card or a biometric.

The problems

Physical cards are inefficient, high-risk and open to unsafe workaround tactics such as leaving cards in readers, card sharing and regular forgotten or lost cards. The resources, time, money and most importantly patient contact time that is wasted from trying to manage these issues is a huge drain on the NHS.

The challenge

Once we’d had the idea to virtualise the card, the challenge was making it happen whilst maintaining all the same strong identity checks and cybersecurity levels required. With our years of experience working with NHS smartcards we were able to do so, with some extra layers and benefits in addition.

Our approach

Thanks to our innovative approach to an inefficient solution the use cases for Virtual Smartcard are ever expanding. Not only is it great for clinicians and admin staff but Virtual Smartcard can also be used to securely and conveniently authenticate Robot Process Automation, eReferrals, ePrescribing, Summary Care Records and more.


Virtual RA

Smartcards are issued by a Trust’s Registration Authority. Issuing physical cards takes time and requires specialist printers. With the Virtual RA a manager can issue a Virtual Smartcard in the Virtual Smartcard Cloud where it is stored securely and never leaves. The user downloads a Virtual Smartcard Authenticator App on their smartphone. The RA then enrols the smartphone with a simple QR code, which the user scans with the app, the Virtual Smartcard is enrolled and ready for use.

Spine Authentication

When a user wants to logon to their Spine clinical applications, they simply scan the Isosec QR code on their smartphone and enter their passcode. The cloud based Virtual Smartcard is used to authenticate with the Spine and the user can then access their clinical applications.


A Virtual Smartcard can be reset using self-service to avoid issues surrounding locked cards. After visiting the self-service portal a user enters their NHS email address to which a reset email web link is promptly provided. The linked page asks the user to answer security questions specified during the registration process. This allows the user to unlock their own Virtual Smartcard and reset the passcode. Each reset saves approximately 30 minutes of clinical time and can be done whenever, wherever.


Every use of a Virtual Smartcard is audited, geotagged and digitally signed, giving the Trust an unequivocal view of when and who authenticated, which apps were used and for how long. Spine clinical applications also show the actual spine user details, not a generic name in the case of generic physical smartcard usage.


Virtual Smartcard is secured to NHS security standards and requires two-factor authentication: something to the user knows (the passcode) and something the user has (the smartphone). As the Virtual Smartcards are cloud based, they are more secure as there is nothing for a user to lose or leave in a reader. In the event of a smartphone loss, it can be instantly deregistered using the Virtual RA preventing any further use.


Virtual Smartcard works with existing systems in exactly the same way a physical smartcard would, there are no interoperability barriers as the solution is device, systems and hardware agnostic. This allows for a consistent experience for both users, IT teams and management.


Time Savings

Each physical card takes 5 minutes to issue and print, not including the time lost of either the RA manager travelling to the clinician or the clinician travelling to the RA manager. Most RA managers unlock between 5-15 physical smartcards per day, an average loss of up to 10 hours of clinical time a day.

Agency Staff Management

A common approach with agency staff is to issue generic smartcards and distribute them across departments, leaving Trusts open to many potential risks. RA managers often have to travel to large cohorts of new starters with printers to produce each individual card. With Virtual Smartcard there are fewer cards in the ‘wild’ and the registration of agency staff is more streamlined and efficient.

Information Governance and Risk

The current workaround process of managing smartcards poses serious governance and risk issues for Trusts with little accountability. With Virtual Smartcard this is no longer the case. Data is collected passively and collated with full audits at the touch of a button. Virtual Smartcard supports best practice processes and avoids unsafe workarounds including leaving physical smartcards in readers plus Virtual Smartcards cannot be lost.

Reduced Travel

With Virtual Smartcard registration is done via the online RA manager and can also be done remotely to benefit Trusts with large or multiple sites. As Virtual Smartcard is stored in the cloud there is no need to post or travel with cards, reducing risk and saving time and money.

Clinical Benefit

Clinicians currently lose valuable time treating patients when they cannot access clinical systems due to a locked card. If this happens in the middle of a night-shift or in a remote location for example, they have to wait until the RA manager is available to unlock the card the next morning and any treatment may be delayed. Virtual Smartcard removed this barrier enabling clinicians to easily get cards unlocked and treat patients in a timely manner.

Easy Adoption

Virtual Smartcard work with the Isosec Identity Agent making adoption very simple. It is compatible with all Spine clinical applications. Virtual Smartcard works on physical devices as well as VDI environments and also on devices without readers such as iPads. There is no need for upheaval adopting Virtual Smartcard as not every user has to be registered for Virtual Smartcard, and physical cards can be used at the same time.

Isosec HSJ Value Awards 2019