Registration Authorities and SmartCards

1
Registration Authorities and SmartCards
2
What is aRegistration Authority?

• Individual/s responsible for local registration
  and management of User Identities (profiles)
• Generally used to describe a organisation rather
  than an individual
• Implemented wherever need for registration or
  management of User identities

3
Registration Authorities

• What do they do?
• Register User Identities
• Real World Credentials
• Face to Face Interaction
• Trusted Third Parties - Sponsors
• Manage User Identities
• Issue Authentication Credentials
• Something you know (Shared Secret)
• Something you have (SmartCard)

4
Registration Authorities

• Why do we need them?
• Comply with Government Guidelines
• Comply with Best Practice
• Implement single National Policy and Process
• Provide assured identity
• Basis for National Access Control Framework.

5
Registration Authorities

• Who needs to be involved?
• Several different disciplines
• Senior Management Team
• Human Resources (credentialing)
• IT Department (installation)
• Caldicott Guardians
• And resources need to run them

6
What needs to be done?

• Senior Management nominates RA
• RA should be managed by a senior member of staff
• RA can be team
• National Security Officer authenticates RA
• RA agrees to RA obligations in a non-repudiable
  manner
• Local trust provides RA resourcing

7
Resourcing

• RA assisted by
• Local Registration Authorities
• (day to day RA operations)
• Sponsors
• (assist RAs)
• RBAC Governance Authority
• (control role base access control)

8
What Equipment?

• Workstation(Registration Functionality is Web
  App)
• SmartCard access device(a standard reader is
  adequate)
• SmartCard Printer(currently being priced)

9
Registration Process

• Healthcare Professional presents real world
  credentials
• Face to face interaction with RA Sponsor
• Complete Certificate Holder Agreement
• Define Shared Secret

10
Issuance Process

• Face to face interaction
• Digital Photograph taken of Healthcare
  Professional
• SmartCard Printed with users details
• SmartCard Printed with photograph
• Credential written to SmartCard
• Can be part of Registration Process

11
Management Processes

• HR Joiners and Leavers changing to include RA
  processes/needs
• Revocation of Credentials
• Replace lost / stolen credentials
• Audit requirements
• Caldicott satisfaction required

12
Deployment Timescales

• RA instantiated 2 months ahead of Go Live dates
• Registrations can be independent of Issuances
• Users registered 1 month ahead of Go Live dates

13
SmartCards

• Will look something like this....

14
Who provides the SmartCards?

• Initial card deployments funded centrally
• 25 churn included
• Procured from ISPs

15
Who deploys the cards?

• Local Trusts through RAs
• Local RA responsible for management of cards
• LSPs contracted to provide support in the
  deployment

16
Registration Authorities

• What do they do?
• Manage User Identities Registration Issue
• Register users
• Issue, revoke and change profiles and Smartcards
• Issue Authentication Credentials
• Something you know (Shared Secret)
• Something you have (Smartcard)
• Associate the user with their profile
• Where they work e.g. Practice/s, Hospital/s
• What role they need e.g.
• referring clinician GP,
• service provider clinician Consultant,
• referring clinician admin receptionist,
• service provider clinician admin admissions
  secretary

17
Registration Issue

• Healthcare Professional presents real world
  credentials in person e.g. Utility bill,
  Passport, driving licence etc
• Complete Certificate Holder Agreement
• Define Shared Secret
• Digital Photograph taken of Healthcare
  Professional
• Smartcard Printed with users details and
  photograph
• Sponsor recommendation of role
• Credential written to Smartcard

18
Healthcare Professional Access

• Access to any National Programme application e.g.
  Electronic Booking is via
• A known machine
• i.e. one with a valid National Programme Identity
  Agent
• NB This is added when the card-reader is
  installed
• A known user
• i.e. one with a valid profile created by the
  Local Registration Authority

19
Healthcare Professional logon

• Before accessing a national application
• Insert smart card
• Enter user id/password
• If user has multiple profiles select from list
• Single sign on for NCRS compliant applications

20
Access control in EBS

• Consent
• EBS checks the consent status before allowing a
  referral
• Role based access control
• EBS makes use of the users role profile to
  determine what functions can be used
• Implied Legitimate Relationships
• Access to patient bookings and referrals is
  restricted to those who have a legitimate
  relationship with the patient
• Content sensitive referral
• For further restricting access to a referral by
  BMS and other practice staff.

21
Access control in EBS
Role Based Access Control
Refer
Cant see referral
Clinician can Create referral
Practice A
Service X
Consultant Can view referral, cant change it
Admin can see booking but cant see referral
Can view booking Can act on behalf of referrer
BMS
22
Patient Access BMS Web

• Patients may access the Electronic Booking
  Service via BMS HealthSpace
• To book, rebook or cancel an appointment
• Authenticated using
• UBRN
• Password

23
Patient Access BMS Web

• UBRN
• Patients will be given a UBRN number with each
  referral/booking that is made for them by the GP
• Setting the Patient Password
• A password must be agreed with the patient set by
  the referrer or practice staff
• Mandatory requirement to allow patient to use BMS
  and/or Healthspace
• Required in order to provide secure yet easy to
  use authentication process patients