Providing secure capability for patients to use health apps

A key focus of the Long Term Plan is empowering people to take control of their own health care - creating a safe and secure means of accessing their health information is critical to that, says Melissa Ruscoe, head of the NHS login programme at NHS Digital

One of the main barriers to patients making the best use of digital health services available to them is the challenge in accessing them, such as having to prove your identity in person or memorising multiple passwords. NHS login is a single, secure login that enables the public to access health and social care apps and websites wherever they see the NHS login button. It means that people no longer have to remember many different passwords – if their device allows it, they can even use device biometrics (for example fingerprint) to login and see their personal information.
 
With nearly 600,000 people having already created an NHS login, a figure that is rapidly rising each week, it’s clear it has massive potential to transform the health and social care sector. NHS login will help reduce administrative burden for GP practices - most patients can verify their identity online themselves without the need to visit their GP surgery. Once created, it can be used for health and care apps and websites where you see the NHS login button.

What’s more, because NHS login was made by the NHS, people can trust it - they can also trust we will only use necessary data. Using official photo ID such as a passport or driving licence, plus a likeness and liveness check, a patient can easily prove their identity so they can be matched to information personal to them.

Proving identity with NHS login
NHS login enables people to be matched to their healthcare records and gives integrating applications the confidence that the connections they make to healthcare data stores and services are definitely for the user that has signed up for them.  The concept is very similar to logging in with Google or Facebook but requires the user to prove their identity even more securely because of the often-sensitive nature of the healthcare data or service they wish to access.

Before we created our product we tested and researched the user need with the public, and the message was clear: ‘I trust the NHS and if I have to do this to securely access a healthcare app, I want an NHS solution’. So, we set out to produce an NHS-branded identity solution that included the key controls of likeness and liveness checks to prevent masquerading. We also needed to incorporate the existing patient online capability to avoid users having to identify themselves twice if they’ve already gone through this process at their GP practice.  

Balancing security with simplicity
We’ve had to navigate a balancing act between security and simplicity as people don’t want to go through a lengthy process of verifying who they are. In the same way people find it a bit onerous to complete a passport application or go through airport security because they just want to get straight to their long-awaited holiday, people just want to swiftly access a new app that they’ve seen or that’s been recommended to them.

People can now create an NHS login in a straightforward intuitive way by going through a short ‘prove your identity’ journey involving a photo of an identity document and an additional ‘liveness’ check that confirms they are a real, live, human and match the identity document, in addition to some basic name and address details. The liveness check, often a video or facial scan, is a key component as it replicates people presenting themselves for identification when they require non-digital access or entry to services such as passport control at an airport and can be used to ensure users are not being coerced or trying to access services with fraudulent documentation.

We cross-check the information and then send an email to let the person know if they have been successful – all very straight-forward as most of the public has easy access to the right details and documents.  Whether they use this method, or enter their existing patient online details, it takes in the region of six minutes for the majority to complete the ‘prove your identity’ journey, and on average under 45 minutes for identity checks to be completed and a decision returned.

We are continually working on ways to make creating an NHS login even more accessible for people. We work closely with health and social care organisations to ensure that they know about and can explain the considerable benefits of having one single NHS login to patients. Areas we are working on include other NHS staff and related staff groups (for example pharmacists) being able to vouch for a patient’s identity later in 2020/21.

Inspiring the sector to deliver new innovations
What is so exciting about NHS login is that it encourages and supports innovation. NHS login can be used across a wide range of digital health products, increasing the options for the public to have greater control over their health and care. Seven products are now live  and this is set to increase rapidly during 2020. We have worked in collaboration with the first organisations to use NHS login, to create a comprehensive integration toolkit to support developers to work on the requirements to integrate NHS login in their products.  
 
We know that there’s still a lot of work to for us to do. The learning we’ve gained and the feedback we’ve heard will continue to shape our solution. Using a combination of user, supplier and analytics feedback, we’re constantly evolving our product. In the short term, we need to offer a solution for people who are not able to use digital identity methods, but still want to receive the benefits of NHS login.

Exciting future developments on our roadmap include proxy and delegated access to support family members or carers wishing to set up or access an NHS login for dependents. Multi-tiered identity verification will support the use of NHS login by more integrated services - for example, the NHS App can show users their medical record and so requires the highest level of security, but a service that enables an e-consultation may not need to display a record, so a lower level of  identification could be offered. Enabling users to verify their identity at a level that is consistent with the transaction they are undertaking will speed up the transaction process between the user and the digital service.  

Providing this secure capability for patients to safely use health and care applications supports a growing need for using technology-led, innovative ways to access our health data and the services the NHS provides.

In the longer term, ‘Continue with NHS login’ has the potential to become recognised as a industry leading example of online ID verification and authentication product, and one we can see being used by millions of people across a wide variety of innovative platforms and services.