PIN padNew NHS Smartcards will be used to restrict access to patient information under the NHS Care Records Service to only those healthcare professionals with the correct authentication. In an exclusive article for E-Health Insider, Duncan McNeil, chief technology officer for the National Programme for IT, explains how the system will work and why smart cards were chosen.

The new NHS Care Records Service (NHS CRS) will provide an electronic NHS Care Record for all England’s 50 million plus patients, revolutionising the way health and care information is stored and handled.  It will ensure that wherever and whenever a patient seeks NHS care, the right information is available to the right people at the right time.

However, ensuring that only the right people can access patient information requires the ability to effectively authenticate users of NHS CRS. As part of the development process for the NHS Care Records Service, the National Programme for IT undertook an extensive evaluation of the different means of authenticating users.

Authentication usually relates to something you have, something you know or something you are. Traditional methodologies require a username and password – two instances of something you know.   While this single factor authentication is better than no challenge at all, it provides only relatively weak security.  A person would, for example, not expect to be able to get money out of the bank using this information alone.

Single and two-factor authentication 

Single factor authentication is open to identity theft via keystroke monitoring, social engineering ("what’s your password?"), shoulder surfing, man in the middle, network monitoring, password cracking, the Post-It attack (stick the password on one) and support staff abuse (see detailed list at the end of the article). 

Two-factor authentication, such as a smart card in conjunction with a PIN, greatly reduces the risk of identity theft.  For this reason, two-factor authentication is the standard mandated by government and supported by industry, to be used when authenticating identity for access to systems which may impact on the care of patients. 

In two-factor authentications, the password may still be used, as it provides the ‘something you know’ part of the authentication.  However, either the ‘something you have’ or ‘something you are’ must be provided, too, giving a second factor.  The most common form of ‘something you have’ is a physical token – usually an electronic card. ‘Something you are’ could be a fingerprint or retina scan.

This second factor overcomes all the risks of single factor authentication. Obtaining the password by itself is useless, as the physical token is not present and this is required as a second factor. This mitigates against techniques such as keystroke monitoring, password cracking or simple social engineering, shoulder surfing, password cracking, Post It attack or support staff abuse.

By using the password to unlock information held on the physical token, and providing this in a secured manner to a central authentication service, the integrity of the credentials can be maintained.  This mitigates against ‘man in the middle’ – and network monitoring – provided a trusted session is implemented between the user’s machine and the authentication service. 

Although the cost of implementing a two-factor authentication system is marginally higher than that of a single-factor system, the benefits in terms of integrity, flexibility and security are manifold. 

There is no need to hold a centralised username and password store, and the number and complexity of authentication interactions is reduced.  The risk of an individual’s identity being compromised in a large distributed system is also greatly reduced, as the emphasis for authentication security lies with the user and not the system.                             

Why smart cards were chosen

Several different approaches to two factor authentication were considered by the National Programme. Biometrics was dismissed because, although fingerprint identification would have been a relatively low-cost option, fingerprints are impossible to obtain from users wearing surgical gloves.

USB Tokens were dismissed as being easy to damage and impossible to visually tie to a user’s identity.  The cost of ‘Secure ID Number Tokens’ is prohibitive on the scale required, so they too were dismissed.

Smart cards holding electronic credentials have a number of advantages which make them the preferred option. They are relatively easy to deploy in large numbers and can be used with standard PCs. Another benefit of cards is that they can be readily personalised to provide a visual tie in to identity.  And, once issued through a registration authority, smart cards can also be used with door access systems, car parking systems, as a canteen payment card, occupational health information card or ID card.

Smart cards are also a proven technology that has already been successfully used in both the public and private sectors. Many financial institutions across the world favour ‘chip and pin’ to enable customers to access cash or make payments. And in the US, the Department of Defense has deployed a system similar to that proposed for the NHS in England and with many more users.

All these factors have led the National Programme to choose two-factor authentication, using ‘NHS Smartcards’ and PIN numbers. The system relies upon the assured registration of an individual’s identity, and registration authorities located in each local NHS trust will be responsible for issuing the Smartcards to staff.

How the system works

The NHS Smartcard has been designed so that it can be integrated with other card schemes (for example, occupational health, staff ID cards). The card can also be produced with a magnetic strip on the reverse, allowing its use with existing swipe systems. 

To use the new Smartcards, systems will require a card reader.  These come in a variety of types and designs and are compatible with a wide variety of devices.  The readers being deployed by the National Programme are compatible with both USB and RS232 interfaces, and are supplied with an interchangeable cable that connects to both USB and RS232.  Card readers are also readily available for devices such as PDAs and tablet PCs.

The architecture adopted by the National Programme leaves the door open for other authentication mechanisms to be used in the future, such as facial recognition technologies, and these may be used to replace the PIN in situations where systems are capable of using such technologies. 

Access and registration

An individual’s level of access to patient information held on National Programme systems will be determined by their role, their legitimate professional relationship with the patient and the patient’s use of an electronic ‘sealed envelope’, in which sensitive information can be placed.

Healthcare professionals will be able to access the systems they need to, regardless of where they are within the NHS. For example, GP locums attending a practice for the first time will have their role profile altered by an authorised user within the practice to give them ‘membership’ of the practice. This is a simple and straightforward process which will take less than a minute to perform. The membership will expire automatically after a set time.

By levelling a common registration and authentication process across all care professionals, the NHS can rely upon the identities, credentials, and assured qualifications of the individual for both access to care records and also the audit of such accesses.

The NHS Care Records Service will provide much more protection and control for patients than they currently have. Every person who accesses a patient’s record will leave an audit trail – who they are, what they did and when.  Anyone trying to see a patient’s record against access rights will trigger an alarm to a privacy officer who will follow it up. Authentication mechanisms will be closely scrutinised to ensure that patient care is not adversely affected by the introduction of these new technologies.

In the future, the NHS Smartcard plus PIN authentication process could allow NHS-registered users to be recognised by other organisations they need to work with within central and local government and further afield.  In addition, the infrastructure deployed by the National Programme could support a patient card with patient interfaces deployed in the same manner as bank ATMs, offering patients access to HealthSpace and other services.

Duncan McNeil
Chief Technology Officer, NPfIT

Reasons why single factor authentication alone is insufficient

a) Keystroke Monitoring
The monitoring of keystrokes is possible using widely available, or simply constructed, software.  In an environment where the local workstation is not tightly and uniformly constrained or security-hardened, it is relatively straightforward to deploy such software without the knowledge of end users.  Furthermore, in an environment where multiple users are on a workstation, it is possible to acquire the authentication credentials for them all.

b) Social Engineering
A common attack by a would-be impostor is to persuade an individual to reveal a password by explaining in a plausible manner why the secret should be exposed.  There are many examples of this happening in other arenas, for example – the "Microsoft" email which redirects you to a data harvesting site, or the several examples of e-mails ‘phishing’ for bank account details.

c) Shoulder Surfing
Strictly a form of Social Engineering, this occurs when the would-be impostor simply looks over a user’s shoulder whilst they are authenticating. Less-experienced users who take their time, and concentrate harder on what they are doing, are more vulnerable to this.

d) Man in the Middle
A less common form of attack, but there are recent examples of such activity. A server is placeed between the user and the system they are authenticating to.  The “man in the middle” implements an interface in such a manner that the user is unaware of the interference.  The "man in the middle" then is granted access to the application server, having passed user authentication information to the application server, and information is then passed back to the user’s machine.  This results in the user’s unique login information being obtained without the user’s knowledge.

e) Network Monitoring
Analysis of network streams is possible on all kinds of networks, however, it is especially straightforward on ethernet networks. Analysis tools (also called sniffers) work by monitoring ethernet broadcast technology.  Credentials (such as passwords) are sent across the network in frames consisting of various sections.  The header for each frame contains the source and destination address for the data, and this is sent to all hosts on an ethernet network. The tool works by configuring the local ethernet adapter to accept all network transmissions on the network, whereas a correctly configured ethernet adapter will only accept frames for which it is the destination.  By actively seeking authentication information from a network, whilst ignoring other data, the tool can isolate and attempt to decode authentication information.  The tool can either decode trapped authentication information, or trap streams of authentication information, and then re-present them.

f) Password Cracking
This type of attack occurs when an automated process attempts to gain access to a system using repeated login attempts with differing key combinations or words.  Typically utilising a dictionary of possible passwords, these tools are usually able to compromise approximately 25% of passwords.  This technique also has the side-effect that it commonly causes a denial-of-service (DoS) attack to occur with the authentication server being required to perform rapid authentication (albeit with denial answers).

g) The Post-It Attack
One of the most common and simplest password attacks. It occurs when a user writes their password on a Post-It, and attaches it to the side of their computer or monitor.

h) Support Staff Abuse
Any support staff who are able to change a user’s password information will have access to the confidential information.  If these users become disgruntled or disenfranchised then there the possibility for abuse increases significantly.