Authentication (IT)

Published on: 12th July 2017 | Updated on: 17th December 2024

Authentication and digital access controls ensure that only authorised individuals can access sensitive patient care data. Patients can also verify their identity for secure access.

List of authentication types

These include those below.

Authentication methods/systems Notes
Biometrics E.g. fingerprint technology, face ID and voice recognition.
CAPTCHA 

This authentication method intends to distinguish whether a webform or similar online item is being completed by a real person or an automated  ‘bot’.

A CAPTCHA might require an extra ‘click’ or a ‘tap’ by a person completing a webform, or it might require clicking on images or identifying letters and numbers from within an image.

CAPTCHA stands for: “Completely Automated Public Turing test to tell Computers and Humans Apart”.

CAPTCHAs can be used on webforms to reduce automated spam being submitted. Automated spam submissions could include links to bad webpages being used with the purpose of phishing or distribution of viruses.

Digital signatures Signatures (if required) may be provided digitally by pharmacy teams or by patients e.g. by finger tips onto a mobile device screen – supporting the paperless goals.
Identifiers Some systems may authenticate you at least partially using common identifiers e.g. your Smartcard number of GPhC number if you have one.
Identity Agent A component sitting on pharmacy computers, that facilitates use of Smartcards or NHS authentication.
Login with NHSmail Some NHSmail systems may provide a ‘login with NHSmail’ option.
Care Identity Service 2 (CIS2)

CIS2 is an authentication system being piloted that provides a small number of health and care professionals in England to prove their identity when accessing national clinical information systems e.g. Summary Care Record (SCR).

Authentication is either via:

  • with a mobile device correctly set-up and with the right software; or
  • with a Smartcard but without a HSCN/N3 connection.

CIS2 will continue to be expanded and other developers such as Patient Medication Record (PMR) system providers or website developers may consider integrating with it in the future.

NHS Credentials Management NHS Credential Management is a component and standalone installation sitting on pharmacy computers, that facilitates communication between the Identity Agent software and modern browsers to support use of Smartcards or NHS authentication.
NHS login NHS Digital developed a single system for verifying the identity of those patients requesting access to digital health records and services (used within NHS App for example)
Multi-factor or two-factor authentication (MFA/2FA) – Involves demonstration of: knowledge (something you know), possession (something you have), and inherence (something you are). Such methods provide additional protection compared with a username/password system.
Passwords

Standard authentication method. The National Cyber Security Centre (NCSC) now recommend organisations do not force regular password expiry because that may create vulnerabilities and do little to reduce the risk of password exploitation. Read more: NCSC password guidance.

Top tip: NCSC recommend that a strong and memorable password is created by choosing three random words, e.g. ‘planeyellowbread’.

Role-based access control (RBAC) RBAC within the pharmacy can control what a pharmacy team member can do and what they can see.
Smartcards Provide security measures to protect patient data.

NHS authentication standards:

 

Multi-factor authentication

Multi-factor authentication (MFA) adds extra steps to verify your identity when logging in, making your online accounts much safer.

For example, in addition to your password, you might be asked to enter a code sent to your email or mobile phone, use an authenticator app, answer a security question, or scan your fingerprint.

If you use more than just a username and password makes it much harder for the incorrect persons to access data. You’ve likely experienced this outside of your pharmacy work, when using online banking or logging into social media on a new device within your personal life.

As a pharmacy owner, consider introducing MFA to your systems. To meet the “Standards Met” criteria on the Data Security and Protection Toolkit 2025 onwards, you need to demonstrate that you have considered MFA and documented any exceptions.

Steps to implement MFA

Assess current systems

  • Identify systems accessible from the internet, such as email, digital social care records, and cloud-based systems.
  • Consult with your software, its help and guidance, and if needed, with your IT suppliers to understand MFA options.

Identify potential challenges

  • Consider scenarios where staff might share devices or logins, complicating MFA implementation.
  • Evaluate if existing security controls already provide sufficient protection without MFA.

Balance security and usability

  • Determine the appropriate level of security for each system based on the sensitivity of the data and ease of use for your staff.
  • Balance strong security needs with the impact on daily operations, as too many security layers can lead to workarounds.

Document and report exceptions

  • If you decide not to implement MFA for certain systems, document the decision and reasons.
  • Ensure a clear understanding of the risks and rationale behind the decision.

Although MFA is key to protecting sensitive data, it’s crucial not to overcomplicate your security.

Aim to enhance security while maintaining a user-friendly environment for your staff, avoiding excess login burden.

Password tips and practices

Overview

Passwords should not be reused for multi systems in case of a breach in which a password is exposed by a bad actor.

Staff should create strong and memorable passwords e.g. three random words, e.g. ‘planeyellowbread’, although some systems will require additional complexity (e.g. capital letters, numbers or punctuation). Regular password change is not required unless the system demands. National Cyber Security Centre (NCSC), now recommends organisations do not force regular password expiry because they indicate that can increase the risk of workarounds. Read more: NCSC password information.

Password and access control policy and procedures

See: DSPTK Template 15 “Access control and password management procedures” and other data security templates at: cpe.org.uk/dstemplates.

Password tips

  • Three random words: Three random words are recommended by NCSC although some systems will require additional complexity.
  • Dictionary attacks: Avoid consecutive keyboard combinations— such as ‘qwerty’, ‘asdfg’, ‘123456’ or ‘111111’.
  • Avoid using personal information within security questions: You may be able to set-up security questions and answers but be cautious of including any information available online or within your social media. This protects you from bad actors being able to take control of your account using the ‘forgotten password’ and ‘security questions’ options.
  • Simple passwords: Do not use information such as your name, age, birth date, name of loved ones, pet’s name, or favourite colour/song, etc.
  • Don’t reuse of passwords across multiple sites: Reusing passwords for multi accounts can lead to one breach of your credentials posing a greater threat.
  • Make sure you use different passwords for each of your accounts.
  • Be sure no one watches when you enter your password.
  • Avoid entering passwords into computers you do not control (e.g. internet cafés or libraries)—they may ‘auto remember’ your password or even have malware that steals passwords.
  • Avoid entering passwords when using unsecured Wi-Fi connections (e.g. airports or coffee shops)—hackers can intercept your passwords and data over this unsecured connection.
  • Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  • It’s okay to write down your passwords and keep these safe, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

Reducing multi login burden

Community Pharmacy IT Group (CP ITG) is in favour of smart authentication options which reduce the burden for health and care staff with logging into so many systems – e.g. NHS-related systems using ‘login with NHSmail’, NHS Care Identity Service 2, biometrics etc.

Password Managers may also be suitable for managing passwords for some systems. National Cyber Security Centre has provided guidance about Password Managers.

CP ITG helped to prepare a list of websites which pharmacy teams report requiring access to which demonstrates the multi-login burden: Website/system list which pharmacy teams access (pdf).

 

 

 

Return to the Pharmacy IT hub; Data security & IG or IT a-z index.

For more information on this topic please email it@cpe.org.uk

Latest Digital & Technology news

View more Digital & Technology newsSee all