Presentation is loading. Please wait.

Presentation is loading. Please wait.

National RA WebEx 17 April 2018– 2pm presented by CIS Team.

Published byRoss Ford Modified over 5 years ago

Similar presentations

Presentation on theme: "National RA WebEx 17 April 2018– 2pm presented by CIS Team."— Presentation transcript:

1 National RA WebEx 17 April 2018– 2pm presented by CIS Team

2 Agenda Structure of the session: Strategic Authentication Update
Long term vision Strategy for identities Strategy for methods of authentication Priorities for 2018/19 RA Audit GDPR and CIS Databases RA101 Data Quality RA positions ESR Interface transactions System Generated Positions Predecessor Positions Outsourcing RA 08 Smartcards RA Incidents

3 New Authentication Services Update (NHS Identity)

4 Connected Services Applications Connected Devices
Digital Identity Interoperability Platform Next Generation Health Identity Platform PKI Authentication Authorisation Federation Registration Management User Self Service Role Management Digital Signing Digital Identity is not just about security it is a mechanism by which to link Devices and their capabilities to individuals (e.g. Location of an individual via a mobile device) and utilise this relationship and the capabilities of the device seamlessly in applications and cloud services. Also preferences, sites visited, contact mechanisms, and when combined with IOT – biological information (heart rate, blood sugar levels etc.) It allows continuous profiling but also provides control to the user by requesting consent (This is built into the security). Analytics Attribute Exchange IOT Consent Dashboard

5 Enhanced Strategic Authentication: Options
Stop/Do Nothing Leave CIS ‘as is’ MVP+ Beta Live release to support mobile access and existing smartcards Maximum Modernise Full Identity Stack to provide full end to end service  Close the project: - Not an option Mobile, Platform Agnostic sign-on, not catered for No Authorisation capability to protect Smartcards + limited add-ons such as Google OTP (one time password)  Minimum Viable Product: Live Service Support SSO Support initial Smartcard alternatives e.g. OTP for Data Landing Platform Support current smartcards but built on recognised standards Support protecting some of the 2020 API’s Support Internet Access Support multi-platform clients Abstract National Authentication outside the client application Support service by service access rules Add FIDO option to allow local choice of proof Do all (planned): Revise Clinician Registration Assurance Service Revise Identity Management to be more self service orientated, bring in more data sources of identity GMC, Bank Staff. Revise Role Management (can do better than a spreadsheet) Add Remote Signature Service Add Risk Analytical Engines to detect anomalies Add Medical IOT Management

6 NHS Identity Components
3 New national services will be built: National Care Worker IDP – Will provide logon services at various levels depending on the organisation scenarios requirements. Initially Smartcard, OTP and Push Notification on service go live followed by FIDO based biometric support. Platform agnostic (e.g. ChromeOS) National Access Gateway – Will protect national API’s and services referencing a granular rules and policies set National Federation Service – Will allow the national signon to be used to access 3rd party national services such as NHSMail, O365 and ESR.

7 Long Term Roadmap Themes
Simplifies Process Increases Security Benefits Saves Time Simplifies Process Increases Security Benefits Long Term Roadmap Themes Increases Security Single trusted digital identity signature Saves time Increases Security Saves Money Benefits Benefits Saves time Simplifies Process Increases Security Benefits IOT Management Single trusted digital identity Saves time Simplify Logon Increases Security Enables Mobility Benefits AI Continual Risk Analytics User & Role Management Remote Signature Simple Registration Next Gen Access Control 2017/2019 2018/2019 2018/2019 2018/2020 2019/2020 2019/2020

8 Strategy for Digital Identities
Currently a high bar (e-Gif Level 3) exists for creating a digital identity – whatever the use. Is it really needed to access e-learning or to upload data the organisation owns? Lots of guidance around as e-Gif has been deprecated for a number of years: UK: GPG 43, 44, 45 US: NIST All talk about different levels of identity for different needs Plan is to cater for 2 levels of identity in the future: Level 1 – access to non person/sensitive/clinical information Level 3 – access to person/sensitive/clinical information New authentication product is piloting Level 1 identity with Data Landing Portal – a web submission portal to send data in a secure and consistent way across organisations

9 NHS Identity: Supported Authentication Methods v0.3
Authenticator Assurance Level 1 Authenticator Assurance Level 3 User ID + Password One Time Passcode via Time-based One Time Passcode Smartcard + PIN Push + Bio/PIN/ Pattern FIDO2 Device + Bio/PIN Wearable + Bio/PIN ForgeRock iOS FIDO2 Module + Bio/PIN Yubikey + Bio/PIN Authentication Method: Smartcard + Smartcard Reader NHS Digital Identity Agent & Mini-drivers Client iOS or Android Smartphone / tablet (with Authenticator installed) iOS or Android Smartphone / tablet (with Authenticator installed and N/W connected) Wearable Device + NFC or Bluetooth Reader ForgeRock FIDO2 module installed on the tablet Yubikey Additional Authentication Component(s): NHS Identity: Supported Authentication Methods v0.3 Works with: Windows PC Windows PC Windows PC Windows PC Windows PC Windows PC Windows Laptop Windows Laptop Windows Laptop Windows Laptop Windows Laptop Windows Laptop Win10 Tablet Win10 Tablet Win10 Tablet Win10 Tablet Win10 Tablet Win10 Tablet iPad iPad iPad iPad iPad Macbook/iMac Macbook/iMac Macbook/iMac Macbook/iMac Macbook/iMac Android Tablets Android Tablets Android Tablets Android Tablets Android Tablets Chromebook Chromebook Chromebook Chromebook Chromebook FIDO2 Device

10 The Next 12 Months Priorities
Transition plan – develop, consult and agree timelines Mobile SCRa Pilot – via an iOS device Federation of identity with NHS Mail Open ID Connect standard for Smartcard Authentication

11 Longer Term Priorities
Redesign of Registration process Redesign of RBAC – user and role management Digital signing (non-repudiation) Enhanced analytics These priorities mean no significant investment beyond performance and maintenance in current system

12 Poll #1 What 3 things would you like to change about the current authentication and registration service?

13 RA Audit

14 General Purpose of RA Auditing
All RAs should, as a matter of good practice, regularly audit the service they provide to ensure that they are: Making appropriate and effective use of Care Identity Service, and associated guidance, Maintaining Local RA Policy in full compliance with National RA policy, Identifying any lack of adherence to policy requirements, leading to poor/inefficient practice, Identifying any workarounds that have been put in place leading to their removal and adherence to National policy and practices

15 Prime Purpose of National RA Audit
Provide NHS Digital with view whether user organisations appear to follow national RA Policy and Procedures Enable NHS Digital to contact organisations to raise concerns as necessary The launch of the new RA software, Care Identity Service, and the associated guidance, the National RA Policy and user involvement highlighted the variety in RA practice that exists. In some situations this has identified a lack of adherence to policy requirements, in others poor or inefficient practice. The lack of standards around governance and process mean that similar types of organisations provide or receive very different levels of service, with some of this variation potentially leading to unacceptable workarounds being put in place. An Audit process / service would provide both NHS Digital, and end user customers, with a level of assurance that practice was of an acceptable standard. To this end a national extract of RA audit indicators is being developed as a central report. The intention is to publish further information using the wordpress facility at

16 RA Audit Report To help organisations undertake their own RA Audit the National RA has been: Developing a central RA Audit Report Testing initial version of the Report Planning a version which RA Hosting organisations can run for their own data to enable the Local RA team to: Improve awareness of issues requiring attention, Enable timely local issue resolution Help form part of local RA self improvement cycle We are testing what can be delivered to organisations with organisations represented on the National Identity & Access Management Board

17 GDPR and CIS databases

18 GDPR and CIS databases As with other organisations NHS Digital is mandated to comply with GDPR and as part of that complete a Data Protection Impact Assessment We are in discussion about the data we hold in CIS database, whether to continue to hold the data and what we might hide to comply with GDPR Smartcard Terms & Conditions will need to be updated, and legal advice on the wording obtained When the Smartcard T&Cs are updated all registered users will need to read and accept the updated version

19 RA Good Practice

20 RA101 New RA Managers National Policy (September 2014)
Future Webex for newly appointed RAM’s Suggested topics welcomed Possible approach via worked ‘show and tell’ via Webex National Policy (September 2014) RA Exec Lead RAM Exec Appointment letters Held by identified RA Manager These do not usually require NHS Digital involvement to be on copy unless ‘seeding’ is required Responsibilities are outlined

21 Data Quality RAM’s must be pragmatic in managing the RA service they are responsible for. Regular reporting ~ 3 month cycle Last login reports often show high proportion of card-holders never or not using the access assigned. If access not used then there is not a continued business requirement Continued Misuse of codes e.g. B0272 in RA Positions must be dealt with

22 RA Positions Regularly contain sensitive, excessive or inappropriate access profiles – or have been assigned to staff groups not suitable Ensure IG involved in ‘signing-off’ the Role Profile? Suitable Sponsorship model implemented and training given – assignment ‘signs’ transaction There have been reports to the ICO and action is being taken on the use of certain codes e.g. B0082 Legal Override of Consent Is volume of users with PDS / SCR access appropriate?

23 ESR Interface Transactions
Regular incidents are being seen when the wrong user has been associated in ESR and pushed to CIS Care must be taken when updating ‘core’ identity HR officers must be trained in their responsibilities RA is required to use ‘due diligence’ This will come into the Request List as ‘source’ ESR The RA MUST compare new with old information before confirming the true identity and granting the change. Use two CIS search windows open to compare This is considered a clear IG breach when a persons data and / or photo is overwritten; will skew audit data

24 System Generated Positions
Also known and seen as ‘00sysposUUID’ - Calendra Access These must be managed out! We deprecated this method from March 2011 These now indicate poor governance of access methodology and is a technical overhead All users must be assigned a substantial PBAC and their ‘00syspos’ is to be correctly closed – not end-dated or deleted. Alternatively a bulk closure can be arranged via the NSD

25 Poll #2 Do you still have system generated positions? Do you have a plan to close them?

26 Predecessor Links Facility within the system to link / cascade access to legacy organisations Intended for limited time-frame Useful on mergers of trust Org Codes where system applications rely upon the legacy code To take stock of the scope of the use of these please access control address

27 Outsourcing RA All NHS organisations are required to have an Exec RA lead and RA Manager. Outsourcing can be considered subject to clear contractual arrangements SLA’s require regular audit and reporting The primary organisation remains responsible for RA process and IG compliance

28 Oberthur Smartcards (08)
08 cards have now been in live service for 29 months. Self-renew options available for end-users RA team workstations require latest SR5; soon to updated to SR8 - in next few weeks (Note: likely to deprecate SR1 and SR5 3-6 months after this release). WordPress site: IA clients at:

29 RA Incidents Each event would require individual approach
Consider local RA policy link to org. policies and procedures Escalation channels Disciplinary Policy and Procedures IT / Physical Security Policy Evidence and impact level will dictate suitable response Preserve data / screen shots / make notes Report or escalate to appropriate authority IG officer / Employer / Security officer / HR CSU / RA service provider for community Will depend on scope of contractual arrangements 3rd party such as pharmacy would require escalation to NHS England local office External reporting (ICO / Police) by an appropriate person Seek advice if unsure

30

Download ppt "National RA WebEx 17 April 2018– 2pm presented by CIS Team."

Similar presentations

Module: 201 Create and Manage Your Agent Account.

Module: 201 Create and Manage Your Agent Account.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
MobeSys Technologies MobeSys – helping you overcome mobile technology challenges.

MobeSys Technologies MobeSys – helping you overcome mobile technology challenges.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Remedy – Customer Portal Fiona Gregory McKesson CRM 1.

Remedy – Customer Portal Fiona Gregory McKesson CRM 1.
Event Management & ITIL V3

Event Management & ITIL V3
Introduction to the Summary Care Record (SCR)

Introduction to the Summary Care Record (SCR)
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Module 7 Planning and Deploying Messaging Compliance.

Module 7 Planning and Deploying Messaging Compliance.
1 Efficient- Flexible- Cost Effective. 2 The key is to ensure that your clients have a positive experience remotely irrespective of the process you wish.

1 Efficient- Flexible- Cost Effective. 2 The key is to ensure that your clients have a positive experience remotely irrespective of the process you wish.
Community Pharmacy Summary Care Record (SCR) Privacy Officer End-user.

Community Pharmacy Summary Care Record (SCR) Privacy Officer End-user.
Policies and Security for Internet Access

Policies and Security for Internet Access
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Safety Management Standards. Introduction Health and Safety Procedures (which identify the risks, hazards and ways of mitigating these) are weak in that.

Safety Management Standards. Introduction Health and Safety Procedures (which identify the risks, hazards and ways of mitigating these) are weak in that.
SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.

SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.
B2access.eudat.eu www.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.

B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Www.appmobi.com The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.

The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.

Similar presentations

Ads by Google