What are the principles that should underlie a login infrastructure of a digital NHS?

DH / NHS Digital’s name for the work they are doing on patients identifying themselves digitally is the “citizen identity” programme – a name which demonstrates the fundamental misunderstanding of the problem that needs to be solved. They expect to launch in September (item A1, page 54).

Designed after the Home Office ID cards scheme was abolished, the Government’s generalised login solution is an implementation of the ID Assurance principles, usually called GOV.UK Verify. It would allow a range of different “identity assurance” providers to allow patients to log in to a wide range of different services, without creating an overarching “database” of anything. There are lots of constituent parts to Verify, all working together, underpinned by a set of principles that are accountable to an independent advisory group and Ministers. The principles are separate from the infrastructure design, which are separate to the deployment for Gov.UK.

The NHS should agree to follow the Principles, and make it’s own deployment of the infrastructure, basing an ‘identity’ assertion in a pre-existing legitimate clinical relationship.

As a model, this would be closely aligned to the current NHS model for patients logging into services, known as Patient Online, for which GPs distribute logins – as they know who patients are, and can manage the exception handling (lost passwords, verification, edge cases, etc.).

Meanwhile, over in the database state corner, there are still projects looking to build a centralised login infrastructure for all digital health services, derived from a legal document – such as a passport, driving license, or tax payments.

Identity Assurance Principles

The PCAG Identity Assurance Principles should apply to the NHS login infrastructure, and be overseen in a similar way. A patient has a choice over which GP they wish to use; which provides for the choice of identity provider. Due to the range of conditions handled by the NHS, it may be clinically necessary to in practice deny to a patient choices they may otherwise in principle have – but only for clear clinical reasons.

It is initially convenient that the Principles, and the current mechanism for handing out usernames and passwords to patients across the NHS (i.e. GPs) align extremely well. There will need to be work on the infrastructure middleware layers of the system, but the Patient Online programme – giving details to already identified patients – has already begun, and begun at scale.

Whatever system is used must accommodate and enable patients who wish to keep some aspects of their treatment entirely disconnected from other aspects. Whether this is via one login for all NHS services, or for particular areas carved off, should be entirely under the patient’s control, and not be restricted by NHS technical decisions.

Technically, this is not difficult. The infrastructure has already been designed and built by GOV.UK, and that code can be reused. Whether NHS Digital reuses the Cabinet Office servers and operations team is primarily an operational question.

As a political and Governance framework, the principles may be hard – and digital identity governance doesn’t currently exist in the NHS – but it does exist in PCAG. PCAG should therefore be asked by DH to assess whatever the NHS implementation is, against the PCAG principles. This will require some complex conversations, and learning on all sides.

The standards and code are copied, the principles are accepted, the identity providers and service acceptance standards are NHS specific.

Absent leadership from DH, this could be almost impossible. It is absolutely vital that this delivers, and delivers fast, in order to realise significant savings in the NHS Budget. Those who control the budget are not necessarily the people who are capable of delivering quickly, nor are their interests necessarily served by a solution with strong governance.

The NHS expects to find £1bn a year in savings from reducing missed appointments via a better digital Choose and Book. The service already exists – there is simply no way to log into it easily. Let us say that again: £1 billion in short-term savings, simply from the NHS having a proper digital infrastructure.

Patient Online works for assigning patients with usernames and passwords, based on a clinical relationship, and Verify’s infrastructure has been shown to scale. Ad hoc identity approaches have been shown to fail.

Should passwords get stolen, the Patient Online system can include an additional factor: needing to know the GP for which a stolen username/password is valid. It is likely that username/GP lists are rarely stored (other than by the GPs themselves) which gives the NHS regulatory assistance unavailable elsewhere.

Here is our demonstrator: if you have a login for your GP, feel free to try the blue buttons

There is no reason for any part of the NHS to have a big list of all of the services a patient has used.

If the current world view persists, initiatives like the excellent SH24 projects, and a digital Dean Street Clinic, are going to remain services that cannot function at scale – because there will be no national infrastructure for them to reuse. A Verify-based governance model can do that, and they would also be able to issue their own usernames/passwords since they deal directly with patients, as GPs do.

Our demonstrator is purely a proof-of-concept. NHS England could have published in machine-readable form the login page for each GP, but for some reason didn’t see the need. #NHSAlpha, who could have got them to do it, instead wanted to own the database – so started work on the impersonation problem. Badly. These are both things that other parts of the NHS handle every day, and DH can only do worse at greater expense from afar. It is concerning that the NHS ‘technical silos’ have not recognised that this is a system which can be encouraged, and instead sees it as a technical problem with a technical solution.

There must be better governance around logins and how digital health information accesses are run. The PCAG principles are the beginning of that discussion, not the end. GOV.UK Verify relies heavily on passport verification, and the issuance of passports relies heavily on NHS-derived data. It would be perverse to go round that entire loop in order to issue a GP login, when the GP is also someone relied on to prescribe mind and body altering substances. But along the corridors of DH and NHS England, there are a handful of people muttering “My Precioussss”, while trying to forge a database state for medical information – worse than that, none of the projects are actually talking to each other.

Sound familiar?

care.data lessons, unlearned

The HSCIC (the statutory body otherwise known as NHS Digital) has a form you can fill in to opt yourself out of the various HSCIC datasets; the form is 12 pages long. The equivalent form, ready to be handed to your GP, is one side of A4 and contains just 2 tick boxes – plus space for your name, address, etc.

The HSCIC 12-page form has those same tick boxes, but the other eleven and a half pages are all about verifying identity, so that a remote institution that very, very rarely deals directly with patients knows that the right person filled in the form.

A process, done at the wrong level, can generate that much extra paperwork



Extend Patient Online using GOV.UK Verify’s infrastructure design, augmented with the following features:

  • Only those organisations that have a clinician-patient relationship should be responsible for issuing identity credentials to individuals;
  • NHS Patient Identity should follow the PCAG principles;

The identity requirement for the NHS is not a citizen identity, but it is a patient identity – even if the patient is entirely healthy.

Here are some available next steps.

1 thought on “What are the principles that should underlie a login infrastructure of a digital NHS?

  1. Pingback: Citizen Identity project will be live by October 2017

Comments are closed.