Virtual smartcards

The Isosec product is a 3rd party application and service that works with the Care Identity Service (CIS) to provide 2 Factor Authentication (2FA) to a range of national and local systems. 

It is an option for authentication to Spine systems and it works through a combination of Isosec specific local client software and an Isosec application that can be downloaded and installed on a user’s mobile device. Virtual Smartcards can be issued and managed by Registration Authorities across their user estate.

This virtual smartcard solution and service is built, managed and supported by Isosec. The new version of the service has undergone product assurance reviews by NHS Digital's Cyber Security, Solutions Assurance and Information Governance functions.

Isosec product statement

NHS Digital and Isosec have been working collaboratively to agree the design and implementation for an enhanced solution from Isosec that meets all of NHS Digital’s requirements.

The enhanced product, using versions of the software outlined below, has now been through that review process. Our cyber security team has confirmed the design of the V1 solution can be used for authentication (authentication to systems only) and the V2 solution can be used for authentication and EPS.

For EPS usage software must be deployed with the user's cryptographic keys held on a mobile device. Multiple users' keys cannot be stored on a mobile device (phones and tablets) and a mobile device cannot be used by multiple users. No other deployment pattern is approved for use by NHS Digital.

The only approved versions of the software that meet the approved design are those outlined below.

Isosec product assurance

NHS Digital has developed and implemented a requirements framework for Virtual Smartcard solutions to be assessed. This framework will be kept under review at least annually. We will manage change to this framework either as a result of changes to the requirements or changes implemented by supplier systems.  

The enhanced Isosec product has been through a rigorous process of assessment against a number of attributes and acceptance criteria, which has given NHS Digital and Isosec confidence that it can now be made available to NHS organisations under the agreement with NHS Digital.

The assessment covered:

• consumer contracting and agreement
• solution overview and how it met security and operational requirements
• administration – how system admin activities are undertaken and how they are protected from being compromised
• test and assure – the process and methods for build and test
• deployment methods and approach
• change and configuration management
• monitoring and service management
• governance
• risk management including business continuity and disaster recovery

Through the review, a number of additional artefacts have been created and agreed between Isosec and NHS Digital including a Connection Agreement, Customer Acceptable Use Policy, Change Control Process and Remediation Process that improves the agreements in place between NHS Digital, Isosec and its customer base.

NHS organisations taking the Isosec solution under NHS Digital agreement should review and accept additional agreements before rolling out the new software and service.

Isosec can provide this or a copy can be provided on request. Email: [email protected]

NHS Digital has assured the Isosec solution against the following versions of Isosec software:

Apply for Isosec virtual smartcards

We are not currently accepting any new applications for Isosec virtual smartcards. If NHS organisations return licences they don’t believe they can fully utilise, then we will work with Isosec to engage customers on a first come first serve basis. 

NHS organisations can contact Isosec directly via: [email protected] to enquire about how to procure their Virtual Smartcards. Find out more at the Isosec website.

If you wish to be notified if any further licences become available you can email i[email protected] with the following details: 

• email title - Isosec VSC
• organisation name
• contact name, email and phone number
• how many licences you’d like
• overview of the systems the users would use the Isosec VSC with

NHS Digital and Imprivata® have been working together to agree the design and implementation for the Imprivata OneSign Spine Combined Workflow Plus solution that meets all of NHS Digital’s requirements. This solution includes Imprivata’s virtual smartcard.

The enhanced product, using versions of the software outlined below, has now been through that review process - our cyber security team has confirmed the design of the solution can be used for authentication (authentication to systems only) and our clinical team have approved the deployment of the solution following a successful pilot.

The only versions of the software that meet the approved design are those outlined below, where two-factor authentication is enabled.

Find out more at the Imprivata website.

A copy of the NHS Digital Assurance Framework can be provided on request by contacting [email protected]

Whilst NHS Digital has reviewed these solutions, all customers are advised to perform their own due diligence and pre-deployment checks and tests prior to the use of the solution to ensure that it meets the commercial, legal and policy requirements of their organisation.

In April 2020 NHS Digital procured a limited number of licenses to remove local burden.

Licenses should continue to only be granted and used to help NHS organisations with their COVID-19 response.

NHS Digital has agreed with Isosec that NHS organisations already approved to use the solution under our contract can request that the term of the licence can be extended to the end of March 2022. There is limited funding available and therefore this will be agreed by Isosec on a first come first serve basis.  

Any organisations who will not make full use of their existing approved licences are encouraged to contact [email protected] to offer unused licences back to NHS Digital. Those licences may then be made available to new or existing organisations that can make use of the service.