Smartcards that need an HSCN connection

Information about smartcards that access patient data via the Health and Social Care Network (HSCN).

Smartcards are credit card sized ID cards. Users authenticate by inserting their smartcard into a smartcard reader and enter their PIN.

Smartcard users need an HSCN network, Credential Management and the Identity Agent installed on their machines.

Example of an NHS smartcard

About this graphic

This graphic shows an example of a smartcard. Across the top is a blue band with the words NHS Care Identity Service.

On the right hand side is a passport photo of a woman. Underneath is her ID number: 000123456789 and name: Sample Specimen

Convenient

Users can share desktops/laptops and authenticate with their own individual smartcard
Widely used
Smartcards are provided by NHS England

Choosing Smartcards

Users tend to find authenticating with smartcards works well when they:

already have a smartcard
access multiple machines
are quite mobile, working in different buildings/offices

Secure

NHS England security standards require Smartcards to meet the following criteria:

cryptographic
uses PKIs
certificates updated every 2 years

Live environment smartcards

The following Smartcards have been assessed against the above criteria and tested with NHS CIS2 Authentication.

Smartcard:

Series 5
Series 6
Series 8
Series 9

Reliable

NHS CIS2 Authentication is a platinum service, supported 24 hours a day, 7 days a week.

See our latest availability statistics.

Considerations for organisations providing IT Support

Lots of health and care professionals already have a smartcard
No additional hardware is needed as it uses the existing cards and readers

Procurement

The procurement and distribution of smartcards is the responsibility of the local Registration Authority (RA).

Registering devices to users

Each user must have their own smartcard.

To be given a smartcard, users need to request and complete an Authenticator Registration from a Registration Authority (RA).

Smartcard certificate renewals are required every 2 years.

Installation of NHS Identity Agent

It is the responsibility of the local IT organisation to:

configure devices to work with NHS CIS2 Authentication
use the setup tool to check if a user's device is correctly configured

Network configuration

NHS CIS1 Authentication is only available on HSCN. Therefore users need HSCN access and a way to NHS CIS2 Authentication from HSCN.

NHS CIS2 Authentication is primarily an Internet Only service, therefore, some configuration may be required to enable access:

out to NHS CIS2 Authentication
in from NHS CIS2 Authentication

Out to NHS CIS2 Authentication

Both end users and applications need to be allowed to send requests out to https://am.nhsidentity.spineservices.nhs.uk/.

This domain is on randomly allocated IP address and is subject to change.

In from NHS CIS2 Authentication

Whenever the user's NHS CIS2 Authentication session is destroyed (e.g. on expiration), NHS CIS2 Authentication can send Back-Channel Logout requests to the application.

These requests come from a small number of fixed IP ranges.

The application, therefore, may require that its hosting network allows requests from NHS CIS2 Authentication to be routed through firewalls to the application.

If the application is installed within trust networks, it is recommended that these are isolated on web servers and not directly exposed on critical internal servers.

Support

You can get support by going to the National Service Desk Customer Portal or emailing [email protected].

Our vision is evolving as we learn

There are lots of features we are working on and considering for the future.

We'd love to hear what you think.

To suggest, comment or vote on these features, visit our feedback portal or contact us by emailing [email protected].

Last edited: 12 February 2025 2:43 pm