Delivering Secure and Trusted Access Within the UK Health Service
It would be fair to say that the 74-year-old National Health Service in the UK is chronically ill. A perfect storm of issues impacts it operationally and clinically and — as a result — the overall health of the nation.
A lack of funding under successive governments; huge demand from an aging population; nurse and doctor shortages due to recruitment, retention, pay and pension issues; and the considerable impact of COVID-19 have affected service delivery enormously.
Analysis by the British Medical Association puts this into stark reality. It reports a substantial backlog of patients waiting for treatment in secondary care which, as of September 2022, stands at a record 7.1 million people, with fast-track cancer referrals also worryingly at their lowest level ever.
Add to this is the complexity of changing and transforming the health service to become more productive and efficient, which is tough to do not only because of its supertanker size. According to the King's Fund, an independent think tank, the NHS employs 1.2 million people and consumes an annual budget of over £190 billion.
In a sense, the name "NHS" is, therefore, a bit of a misnomer. Yes, it's a national health service funded centrally by the UK Government through tax receipts, where care is delivered free of charge at the point of need. But the NHS is a patchwork group of hundreds of different organizations across the country, all with their own boards, executive management, clinical teams, budgets and ways of doing things.
It's Not All Doom and Gloom
While the scene-setting facts outlined above show the extent of the health system's challenges, tremendous strides have been made to improve the NHS.
The Health and Care Act 2022 is one example of how the system is evolving. When the NHS was first created in 1948, the focus was very much on treating single conditions or illnesses. Since then, health needs have changed. Many people live a lot longer and have multiple conditions requiring comprehensive, broader and longer-term care provided by various bodies and teams: acute trusts, mental health and community services, GPs, local authorities and charities.
The Act has established a framework to enable services to work more closely together called the NHS Trust Provider Collaboratives and Integrated Care Systems. This framework makes it easier for patients to get the care they need from various organizations and specialists when and where they need it.
The use of feature-rich technology is key to delivering this. Many of the NHS Trusts, of which there are over 200, have now made substantial investments to introduce:
- Trust-wide enterprise patient record (EPR) systems to record and manage all patient interactions
- Electronic document management solutions (EDMS) to eliminate historical paper patient notes clogging up buildings and costing millions of pounds to move around and store. Paper is a killer when multidisciplinary teams need access to information.
Numerous trusts have shifted IT to the cloud so systems can scale easily and quickly, and in-house IT departments avoid the day-to-day headache of managing servers, storage and switches. Others have deployed unified communications using Microsoft 365 to facilitate better team collaboration, thereby boosting clinical productivity and enhancing patient engagement.
Much has been learned along the way following high-profile mistakes. The National Programme of IT championed by the Blair Government in 2002 is the poster child of how not to manage things. Using a top-down approach that didn't consider local needs, it foisted IT systems upon trusts, costing the taxpayers billions before being dismantled in 2011. Things have changed since then. Trusts and clinical teams are now primarily in control of their own IT decisions, and can base them on local requirements and context.
Network Security is Sacrosanct
Network security is a crucial component in all this, given everyone's dependency on computers to do their jobs. Universal Smart Cards (USC), the largest European distributor of HID’s identity authentication and verification products, plays a significant role here.
A decade ago, PKI-based smartcards were introduced to authenticate clinical users properly when they use their Windows-based laptops or PCs to access local hospital networks or other nationally managed key healthcare platforms.
Three types of smart card reader are supplied by USC to facilitate this, with more than 192,000 shipped to the majority of hospitals to date.
HID® OMNIKEY® 3121 USB connected readers are the most popular, with HID OMNIKEY 5022 high-frequency contactless readers also used. For sensitive environments like operating theatres, HID OMNIKEY 5321 clean room readers have also been installed as they are contactless, waterproof and wipe clean for hygiene purposes.
Designed with "openness" in mind, smart cards from other suppliers can also be used — there's no proprietary technology lock-in. HID OMNIKEY readers are convenient, durable, reliable and have a two-year warranty.
Reliability is key. Most clinical consultations last up to 15 minutes, and doctors are constantly under pressure to get through their patient lists. The last thing they need is access technology that doesn't work or is difficult to use. Additionally, the health service saves money as it doesn't need to buy replacements very often.
USC also manages reader stock levels and offers a distribution service to trusts. As a result, the delivery process is painless and provides detailed auditing of where and when units have been sent. During the height of the Covid-19 pandemic, smart card readers for the NHS were prioritized over other industries and customers, with around 10,000 extra readers sent out for use at the seven temporary NHS Nightingale Hospitals.
Two-Factor Authentication is Widely Adopted
Two-factor authentication is a common standard to enhance security, enabled by a digital certificate stored in each smart card. When clinical staff inserts a smart card into an HID OMNIKEY reader, a Windows log-in screen pops up where they can input their username and PIN. The certificate on the card and the PIN are both checked to ensure a match. Only then can the individual log in to access the hospital network, applications and the NHS Spine itself.
Role-based access is provided as well. Doctors use smart cards that include advanced electronic signatures (AdES) to sign e-prescriptions and access certain data, which a nurse, for example, would not be allowed to do.
In addition, the smart cards are used as employee badges and come with a photo of the individual printed on it, along with the job title, organization and NHS logo.
This smart card approach solves the issue of managing hundreds of thousands of users across the entire health economy, removing the need to remember and reset passwords. The security posture of the NHS is maintained, and IT help desks avoid the costs of supporting users who forget passwords or use insecure combinations of letters and numbers.
As the NHS becomes more automated and relies more heavily on an IT infrastructure to reduce costs and increase efficiency, the requirement to allow access to applications and data by thousands of staff is fundamental. HID OMNIKEY smart card readers supplied by USC are enabling this to happen.
Thierry Roz is the Managing Director of the RFID Business Unit within the Extended Access Technologies Business Area. The RFID Business Unit encompasses both embedded as well as desktop devices across the full RFID product range. His mandate is to maximize revenue, growth, and profitability. He joined HID Global in 2012 as Director of Business Development. In 2015, he drove strategy and led sales activities as Director of Sales, Embedded Solutions EMEA. In 2017, he joined the senior management team of the Extended Access Technologies Business Unit as Vice President, Business Development. In 2021, he assumed his current role. Prior to joining HID, he held management roles at semiconductor manufacturer EM Microelectronic in Switzerland. He has a Master of Science degree in Microelectronics and Automation from Polytech Montpellier, France.