Authentication and digital access controls ensure only appropriate people have access to sensitive data relating to patient care. Patients may also provide identity authentication.
List of authentication types
These include those below.
|Biometrics||E.g. fingerprint technology, face ID and voice recognition.|
This authentication method intends to distinguish whether a webform or similar online item is being completed by a real person or an automated ‘bot’.
A CAPTCHA might require an extra ‘click’ or a ‘tap’ by a person completing a webform, or it might require clicking on images or identifying letters and numbers from within an image.
CAPTCHA stands for: “Completely Automated Public Turing test to tell Computers and Humans Apart”.
CAPTCHAs can be used on webforms to reduce automated spam being submitted. Automated spam submissions could include links to bad webpages being used with the purpose of phishing or distribution of viruses.
|Digital signatures||Signatures (if required) may be provided digitally by pharmacy teams or by patients e.g. by finger tips onto a mobile device screen – supporting the paperless goals.|
|Identifiers||Some systems may authenticate you at least partially using common identifiers e.g. your Smartcard number of GPhC number if you have one.|
|Login with NHSmail||Some NHSmail systems may provide a ‘login with NHSmail’ option.|
NHS Identity is an authentication system being piloted that provides a small number of health and care professionals in England to prove their identity when accessing national clinical information systems e.g. Summary Care Record (SCR).
Authentication is either via:
NHS Identity will continue to be expanded and other developers such as Patient Medication Record (PMR) system providers or website developers may consider integrating with it in the future.
|NHS login||NHS Digital developed a single system for verifying the identity of those patients requesting access to digital health records and services (used within NHS App for example)|
|Multi-factor or two-factor authentication (MFA/2FA) –||Involves demonstration of: knowledge (something you know), possession (something you have), and inherence (something you are). Such methods provide additional protection compared with a username/password system.|
Standard authentication method. The National Cyber Security Centre (NCSC) now recommend organisations do not force regular password expiry because that may create vulnerabilities and do little to reduce the risk of password exploitation. Read more: NCSC password guidance.
Top tip: NCSC recommend that a strong and memorable password is created by choosing three random words, e.g. ‘planeyellowbread’.
|Role-based access control (RBAC)||RBAC within the pharmacy can control what a pharmacy team member can do and what they can see.|
|Smartcards||Provide security measures to protect patient data.|
Password tips and practices
Passwords should not be reused for multi systems in case of a breach in which a password is exposed by a bad actor.
Staff should create strong and memorable passwords e.g. three random words, e.g. ‘planeyellowbread’, although some systems will require additional complexity (e.g. capital letters, numbers or punctuation). Regular password change is not required unless the system demands. National Cyber Security Centre (NCSC), now recommends organisations do not force regular password expiry because they indicate that can increase the risk of workarounds. Read more: NCSC password information.
Password and access control policy and procedures
See: DSPTK Template 15 “Access control and password management procedures” and other data security templates at: psnc.org.uk/dstemplates.
- Three random words: Three random words are recommended by NCSC although some systems will require additional complexity.
- Dictionary attacks: Avoid consecutive keyboard combinations— such as ‘qwerty’, ‘asdfg’, ‘123456’ or ‘111111’.
- Avoid using personal information within security questions: You may be able to set-up security questions and answers but be cautious of including any information available online or within your social media. This protects you from bad actors being able to take control of your account using the ‘forgotten password’ and ‘security questions’ options.
- Simple passwords: Do not use information such as your name, age, birth date, name of loved ones, pet’s name, or favourite colour/song, etc.
- Don’t reuse of passwords across multiple sites: Reusing passwords for multi accounts can lead to one breach of your credentials posing a greater threat.
- Make sure you use different passwords for each of your accounts.
- Be sure no one watches when you enter your password.
- Avoid entering passwords into computers you do not control (e.g. internet cafés or libraries)—they may ‘auto remember’ your password or even have malware that steals passwords.
- Avoid entering passwords when using unsecured Wi-Fi connections (e.g. airports or coffee shops)—hackers can intercept your passwords and data over this unsecured connection.
- Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
- It’s okay to write down your passwords and keep these safe, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.
Reducing multi login burden
Community Pharmacy IT Group (CP ITG) is in favour of smart authentication options which reduce the burden for health and care staff with logging into so many systems – e.g. NHS-related systems using ‘login with NHSmail’, NHS Identity, biometrics etc.
Password Managers may also be suitable for managing passwords for some systems. National Cyber Security Centre has provided guidance about Password Managers.
CP ITG helped to prepare a list of websites which pharmacy teams report requiring access to which demonstrates the multi-login burden: Website/system list which pharmacy teams access (pdf).
Read more at:
- Identity Authentication Standards (NHS Digital guidance)
If you have queries on this webpage or you require more information please contact firstname.lastname@example.org. To share and hear views about digital developments with like-minded pharmacy team members, join the CP Digital email group today.
Return to the IT section: NHS IT systems
Return to the section: Data security and information governance
Return to the section: Data Security and Protection Toolkit