1. Policy Statement
The purpose of the Smartcard Policy is to:
1.1 Inform individuals of their responsibilities.
1.2 Monitor compliance.
1.3 Inform individuals of the process of dealing with misuse (Disciplinary Action).
2. Purpose and Aims
2.1 To set out the required actions to ensure users comply with Terms and Conditions of Smart Card use.
3. Background and Current Position
3.1 Smart Cards provide more robust security, which is critical when handling sensitive medical information. Whilst paper records are generally in one place at a time, access to electronic information can be provided on a much wider basis. We must ensure all access is appropriate.
3.2 Usernames and passwords are easily shared, sometimes knowingly, sometimes not. Even with the best policies, processes and education in place, this still happens. A Smart Card is harder to share as it can only be in one place at one time. People are more familiar with protecting cards (i.e. credit cards). NHS Smart Cards will also require a PIN code, so both the card and code need to be entered to gain access.
3.3 Do not let anyone else use your Smart Card. Sharing a Smart Card and PIN number (or password) is illegal under the Computer Misuse Act 1990. It is also potentially fraudulent and could be harmful to patients. New computer systems will be used to prescribe and dispense drugs and it is critical that there is an accurate record of who has done this. Sharing a Smart Card will be a disciplinary matter.
4. Smart Card Details
What is a Smart Card?
A Smart Card is like a ‘Chip and Pin’ credit or debit card. It will hold your unique identity and will provide secure access to systems and information you will need for your job.
You will only need one Smart Card and PIN number to access all the new systems being implemented, including the PDS (Personal Demographic Service). It can be used in multiple locations and organisations in the NHS.
How do I get my Smart Card?
Once it has been identified that you require a Smart Card in order to perform your role within BrisDoc, the necessary paperwork will be completed and a face-to-face meeting will be arranged in order to take your photograph and prove your ID (this will require ID documents, usually a Driving Licence/birth certificate). This will all be arranged by the member of staff within your service who is the nominated Smart Card sponsor.
How often does this have to be updated?
The full process only has to be done once. As new systems in the National Programme are implemented, you do not have to be issued with a new card. The access your role gives you can be updated without using your card.
If you move from one NHS organisation to another, then you may well be able to keep the same card, only the access you get needs to be updated. If you leave the NHS altogether, then the card must be returned.
Your Smart Card certificate will need renewing after a period of time – usually every couple of years. You will need to arrange a meeting, face-to-face, with the Smart Card sponsor (UIM) within your service to confirm the identity of the Smart Card User and to allow you to set your own password. For security reasons this can only be done by the owner of the card.
What if I forget my PIN code?
If you enter the wrong code several times your card will ‘lock’ in the same way usernames do when you enter the wrong password. There are designated people who can ‘unlock’ your card please contact your manager or Shift Manager
5. Outline Principles and Processes
Informing individuals of their responsibilities
5.1 South West and Central Commissioning Support Unit (SWCCSU) provides the Smart Card service to BrisDoc they are the Registration Authority (RA). The CSU issue each new user with a guidance from (see Appendix A), each user is required to read these terms and abide by them.
5.2 The RAO1 forms are stored by the CSU. Copies may also be stored by BrisDoc.
6. Breaches in the use of Smart Cards
Breaches of the Terms and Conditions can occur in the following situations:
6.1 Where a card has been shared.
6.2 Where a card has been left in a machine and access left open.
6.3 Where a card continues to be used after a member of staff has left and the card has not been cancelled.
Monitoring Compliance
- All staff will be encouraged to report any card sharing or access left open, to their Line Manager. The identity of the individual(s) involved will be noted and further investigation undertaken as determined by the relevant Manager and/or SIRO.
- Requests for changes to access are only processed on authority of nominated individuals, so a false change request is highly unlikely. However, should any such request come to light, SWCCSU will report the details to the BrisDoc Service in order that appropriate action can be taken.
7. Monitoring Reports
7.1 SWCCSU will provide a list of active users once a quarter. This list will be used to identify any users whose access is no longer required. However, this is as a fallback to SWCCSU being informed of individuals who no longer require access at the point in time that this is determined.
7.2 In addition SWCCSU: can provide the following:
- Date card last used
- User Activity Report
These can be either as random monitoring or as part of evidence in any investigation.
8. Process for Dealing with Misuse (Disciplinary Action)
8.1 Whilst action is at the discretion of the management, any of the following situations will generally lead to disciplinary action:
- Deliberate card sharing
- Repeat breaches (even minor), i.e.’ regularly leaving their card in the machine to be used by others
- Any malicious activity, including suspected actions
- Falsification of a change request.
- Should such a situation arise, the relevant Manager will instigate an investigation within the remit of the HR policies.
- Depending on the situation, BrisDoc will request reports from the Smart Card system to be provided by the SWCCSU.
9. CHANGE REGISTER
| Date | Change | Changed by |
| 12/09/2012 | Removed Richard Graingers name from list of people who can unlock cards. (pg 3 ) | Sarah Pearce |
| 12/09/2012 | Deleted – You will either be asked to visit the Smart Card team at NHS Bristol, South Plaza for this or arrangements will be made for a member of the team to visit in order to take your photograph and verify your documents.
Added – This will all be arranged by the member of staff within your organisation who is the nominated Smart Card sponsor. |
Sarah Pearce |
| 12/09/12 | Added – Your Smart Card certificate will need renewing after a period of time – usually every couple of years. You will need to arrange a meeting, face-to-face, with the Smart Card sponsor (UIM) within your department to confirm the identity of the Smartcard User and to allow you to set your own password. For security reasons this can only be done by the owner of the card. (Pg3) | Caroline Hawkins |
| 16/10/12 | Restructure so that sections flow from purpose and scope through to the details
Change Practice references to BrisDoc or Services Removed MM and BC added CH/FC in forgetting PIN section 5.1 added RA reference 6.4.1 add SIRO reference General formatting removing double spaces, adding full stops, header reformat etc |
|
| 26/10/12 | Annual review changed front page and footers | |
| 21/12/15 | Names of staff who can unlock cards updated to job role. | |
| 28/02/17 | Change Avon IM&T references to South West and Central Commissioning Support Unit SWCCSU | |
| 29/01/19 | Change in RA process and addition of Appendix A. | |
| 19/08/19 | SOPS for managing Smart Cards and Unlocking Smart Cards added | Bev Dickinson |
| 20/03/24 | Annual review |
Appendix A – Staff Guidance issued on new card
| Date created: | 29/01/19 |
| Last Review Date: | |
| Next Review date: | December 2020 |
| Written by: | Bev Dickinson |
| Approved by: | Garfield Palmer |
|
|||||||||
|
|||||||||
Introduction
This document describes Smartcard Management Process.
Objectives of the procedure
The object of the procedure is to ensure that all clinicians have a SMART card in order for them to be able to use EPS in Adastra, as well as training to ensure clinicians have the knowledge to use EPS.
The Standard Operating Procedure
To ensure all clinicians have the correct SMART card access to use EPS details will be collected as follows:
Employed clinicians:
- SMART card details will be a requirement on the ‘Staff Details’ form, which must be completed for Workforce Team.
- Workforce Team to add the SMART card number (if available) to RotaMaster
- Workforce Team to pass the SMART card number to the Smart Card Administrator, who will assign BrisDoc Healthcare Services as an organisation and set up Adastra.
- The staff member will then need to contact a Service, Team or Shift Manager to have the card authenticated on Adastra
- If the clinician does not have a SMART card Workforce Team to advise the Digital Team of this.
- The staff member will need to share the same ID documentation as supplied for the DBS check to the Digital Team to arrange for a new card to be set up.
Employed/Agency clinicians:
- SMART card details will be collected by the Rota Team at induction.
- Rota Team to add the SMART card number (if available) to RotaMaster
- Rota Team to pass the SMART card number to the Smart Card Administrator, who will assign BrisDoc Healthcare Services as an organisation and set up Adastra
- If the clinician does not have a SMART card Workforce Team to advise the Digital Team of this.
- The clinician will need to share the same ID documentation as supplied for the DBS check to the Digital Team to arrange for a new card to be set up
Smartcard Linking on the spine
To add BrisDoc to an existing user click the box in the ribbon and add the Smartcard Number.
Check the Smartcard and user are correct
Check that the Smartcard is active
If the card is not active contact the Digital Team.
Add a new position by clicking Modify Positions assignment
Then click “Add Position” and Select the position to add and confirm position, click “Submit request”
Close the programme
Creating a SmartCard User
In order to create a Smartcard for a member of the team you require them to present two photographic identification documents and one document showing the applicant’s address or alternatively, one photographic identification document and two documents showing the applicant’s address.
Documents should be recent and, if utility bills or bank information, dated within the last three months plus a ‘digital’ photograph (similar to a passport photograph) and their National Insurance Number
Check the documents carefully before you start this process.
Insert your Smartcard
Use Internet Explorer to log into the web site
Smartcard Management portal: https://portal.national.ncrs.nhs.uk/portal/dt
Launch Care Identity Service
Go to create new user
Enter the required information in each section
- Personal Details
- Middle, Preferred and Previous name leave blank
- Identifiers
- Enter one of the applicant’s unique identifiers.
- This will assist in performing a duplicate check.
- Then use the Duplicate Check tab.
- Depending on the results you will receive an appropriate message:
- If duplicates are detected this will require investigation before proceeding
- Applicant Contact Details
- Enter a work telephone number and email address as minimum
- Identity Photo
- Verify the photo is correct
- Identity Verification
- Remember to use the “ADD” button to complete all the details.
- Verify you have seen the documents
- Notes
- Ask for the card to be sent to BrisDoc Head Office
- Press Grant user
Link Smartcard to users in Adastra
Go to User Maintenance in Adastra
Enter User Name and select.
Enter Smartcard ID numbers and select Authentication type: Smartcard
Add ETP user for prescribing clinicians
Update the User record.
Users will need to have their card authenticated against Adastra before they can use it to log in.
Smartcard recording on RotaMaster
In Personnel Manager find the correct person
- Add (E) after the surname to denote that ETP is active
- Go to the employment tab and then badges
- Add a badge called Smart Card and enter the number.
- Save but do not add a document
- Save and Exit
Monitoring
Content of document
Related Documents
BrisDoc Smartcard Authentication SOP
Change Register
Content of document
| Date | Version | Author | Change |
| Date created: | 17/07/19 |
| Last Review Date: | |
| Next Review date: | July 2020 |
| Written by: | Bev Dickinson |
| Approved by: | Garfield Palmer |
|
|||||||||
|
|||||||||
Introduction
This document describes Smartcard Unlocking Process.
Objectives of the procedure
The object of the procedure is to ensure that all appropriate Operational have unlocked SMART cards in order to validate NHS numbers for calls through the Professional Line.
Clinical staff have unlocked SMART card in order for them to be able to use EPS in Adastra, as well as training to ensure clinicians have the knowledge to use EPS.
The Standard Operating Procedure
Authenticating users in Adastra
Log into Adastra using your Smartcard
Then go to User Maintenance in Adastra
Enter User Name and select.
Enter Smartcard ID numbers and select Authentication type: SmartCard
Click on the three small dots next to the Card number.
Remove your Smartcard.
Insert the card to be linked
The Smartcard owner will need to enter their password.
Click Read card,
The card details will fill
Then store the card
Remove the user’s card.
After storing the card, you will need to reinsert you card, enter your password and Authenticate.
Update the User record.
Logging into Adastra with a Smartcard
Once the Smartcard has been authenticated the user can log in using this card.
Smartcard is inserted into the card reader, user enters password (ONCE) to authenticate card, User continues to log into Citrix and Adastra and Presses Smartcard to log in.
(If user has one role, Adastra will log straight in when “Smartcard” is pressed. If more than one role, the user selects appropriate role, then it logs in.)
Log into Citrix and Adastra
When you reach the log in screen click Smartcard.
Unlocking a user
Use Internet Explorer to log on to https://portal.national.ncrs.nhs.uk/portal/dt
You will need two Smartcard readers to unlock a card and the person whose Smartcard is being unlocked should be present.
Click “Launch Care Identity Service”
Put the Smartcard to be unlocked into the second Smartcard reader then click on Manage Smartcard
Click the + next to Smartcard Details
Click the radio button to pick the card you want to unlock.
Then click Service
If the card is not active contact the Digital Team.
The user must be present with their card to unlock their pin
Click on Unlock Smartcard and Confirm
The user must enter their new password in the two boxes and NOT press return.
When the boxes contain the same passwords a green tick will appear next to the second box. When this happens click CONFIRM.
The screen will close and a green ribbon will show the Smartcard is unlocked.
Monitoring
Content of document
Related Documents
BrisDoc Smartcard Authentication SOP
Change Register
| Date | Version | Author | Change Details |
| Mar 2011 | 1 | C Hawkins | |
| Sept 2012 | 2 | Reviewed and amended | By Caroline Hawkins |
| Aug 2012 | 2 | Reviewed and amended | By Mandy Murphy |
| Oct 2012 | 3 | Amended to apply to all of BrisDoc, including SIRO reporting and restructure of document | Deb Lowndes |
| Oct 2015 | 3.1 | Annual Review | Deb Lowndes |
| Jan 2016 | 4 | Annual Review | Sarah Pearce |
| Feb 2017 | 4.1 | Annual Review | Deb Lowndes |
| Jan 2019 | 4.2 | Annual Review | Deb Lowndes |
| Aug 2019 | 4.3 | SOPS added as addenda to this policy | Bev Dickinson |
| Mar 2024 | 5.0 | Annual Review | Deb Lowndes |