University College London Hospitals NHS Foundation Trust (UCLH) has become one of the first big hospital trusts in England to begin using smart cards in conjunction with an electronic patient records system.
UCLH is using the cards to provide staff with quick, secure and easy access to its new electronic patient record system – Carecast supplied by IDX. The trust and its supplier have worked closely together to integrate the use of smart cards to control access to patient information held on the EPR system.
An initial smart card pilot was successfully completed in late November 2005, with the cards initially being used by about 30 trust staff. The trust plans to roll out smart cards to additional UCLH staff and clinicians in 2006, eventually providing them to most of the trust’s 2,500 staff.
“While electronic health records enable us to provide higher quality patient care, we are also sensitive to patients’ concerns about the privacy and security of their records,” said UCLH chief executive Robert Naylor.
Colin Jervis, interim director of IM&T at the trust told E-Health Insider that to effectively introduce smart cards had first "required smart processes to be introduced", including establishing a rigorous registration authority for managing the process of verifying the identity of staff and controlling the issue and management of smart cards.
Jervis said that the types of practical issue the trust had to work through included making sure that access rights were revoked as soon as a staff member left the trust and managing the issue of cards to the large numbers of staff – medical students or agency staff — who work at the trust for a short period before moving on.
Smart cards are currently being widely introduced in the English NHS under the NHS National Programme for IT (NPfIT) to support access to other types of related healthcare technology, such as e-booking capabilities. The smart cards being use at UCLH are provided by Gemplus, which is supplying NHS National Programme for IT(NPfIT).
Although UCLH is officially outside the NPfIT programme, it is de facto providing the test bed for some of the key technologies and systems due to be deployed across England. The trust is the first to implement IDX’s Carecast EPR system, which by 2010 is due to be in use in all hospitals in the capital.
The UCLH system shares many similarities with the national NPfIT smart card approach it does not use the national NHS spine to verify the identity of staff logging on with smart cards, or use the spine to determine their level of access to patient information.
The NPfIT programme calls for smart cards to be issued to hundreds of thousands of NHS staff which, used in conjunction with the NHS Spine, is intended to provide secure access to patient information and ensure that only authorised personnel have access to patients’ demographic and medical information.
IDX developed the user authentication system to support smart card deployment with Carecast at UCLH. The smart card system includes three layers of security: the smart card itself, a personal password and role-based access within the Carecast system. The smart cards will be phased in to replace an existing approach that was solely password-based.
To access Carecast, an employee inserts his or her card into a card reader attached to the computer. The employee then enters a personal password in order to log on to Carecast. All access to information in Carecast is role-based, so users see only that portion of the information they need to perform their jobs.
UCLH went live on the first phase of Carecast in June 2005, with the patient administration system (PAS), including modules in the A&E and maternity departments. The PAS components of Carecast are now in use at each of the trusts eight hospitals, including the flagship University College Hospital.
The move to electronic patient records at UCLH involved converting approximately 1.5 million patient records to Carecast, and since then the system has been processing about 250,000 transactions every day. The trust has also had installed the infrastructure for one of the nation’s largest wireless networks to link clinicians and staff across each of its eight hospitals.
“Smart cards are a simple, effective, and very visible means of protecting the privacy and security of medical records,” said Rob Baker, managing director, IDX UK.
“Ultimately, the success of electronic health records depends in part on patients’ confidence in the security of their personal health information. UCLH’s adoption of smart cards will help lead the way for patients to embrace the benefits of electronic records.”