Stethoscope on side

How NHS Digital rose to the challenge of creating a single sign-on process – Access Lab 2021

13 May 2021 • Lauren Harding, senior marketing officer

Access Lab 2021 – NHS Digital with Darren Hutton. Darren Hutton, product owner at the NHS was our opening keynote, ‘NHS login – how NHS Digital rose to the challenge of creating a single sign-on process ‘, at our Access Lab 2021 event.  

The session explored how he and his team have developed NHS digital. One of the initial main challenges that faced the NHS was not having a national identity verification platform. Local NHS organizations were investing in local identity verification solutions, which lacked standardization and interoperability. At the same time, patients and the public were often required to create different accounts, in different places, for different health services. NHS Digital developed a national single sign-on process to resolve these issues under the name NHS login. 

NHS Digital’s opening keynote outlined the main drivers behind the single sign-on process project, benefits to patients and key stakeholders, some of the results Darren’s team have seen so far and ongoing work with partners to integrate services. 

Darren started his opening keynote by explaining that he has a sense of pride when thinking about this project. Identity service for those using NHS is of such importance to everyone.  

In response to the Covid-19 pandemic, NHS Digital login has been a critical tool in the response to the COVID-19 pandemic and a lot of other factors in the ecosystem. However, he described how the tool itself was not built for the pandemic, so he posed the question “why build it then?”.   

“The systems were developed and originally built for online booking and repeat prescription pick-ups to cater for the thriving digital healthcare market. Requiring identity authentication and login is where NHS login comes in,” explained Darren.  

“It provides a single process for people to securely and conveniently access approved digital health and care services in a simple, consistent way. Ultimately, it lets the user have trust in what they are using, as it is authenticated by a brand everyone has known for years, namely, the NHS. 

“The first question we asked ourselves was, where do we start? To answer that, we started with the user. We built and tested the product with multiple users and developed multiple prototypes which gave different login options. This initially included Facebook, Twitter, and LinkedIn options. However, after rigorous testing, we realized that having social media login options was not ideal. We needed users to have a complete two-factor authentication and identity check which would allow the product to match them to NHS records. We have now tested this with over 3,000 users.  

“Rigorous testing with users was completed before ever releasing anything to the public; this enabled us to gather as much feedback as possible. Testing also allowed us to communicate the product’s goals to users and gain insights we might not have thought about. At the moment NHS Digital operates under the legal direction, DCB3501 – Digital health and care services.  

“Ultimately we are building something which is benefitting users and the wider national healthcare system. We had backing from the government.” 

The team built a system that was based on Open ID Connect (OIDC) and OAuth 2, which enabled verification of identity that matched NHS records for patients. They then implemented FIDO UAF for biometric authentication, this was a secure system for identity and touch.  

Darren explained that the input of a serverless architecture supported the online ID checks and automated checks, which works similarly to opening an online bank account. Patients would have to provide photo ID documents and then complete a scan of their face on a device. Using these details to identity could then be verified and then appointments could be booked.  

Once received, content would be sent to a team of ID checkers, who are trained by the UK Border Force and also offered in British Sign Language.  

Darren went on to say: “This has been tested with users and all connected apps and third-party organizations, for example, Lloyds Pharmacy, so they can all communicate with each other.  

“Over the course of the last year, we have seen about 10,000 registrations. When the pandemic happened this increased by 500% and caused a backlog of identity checks. We trained a lot of staff in NHS Digital to do the same job as ID checkers so we could process identity checks faster.  

“One of the biggest spikes we saw was when the Track and Trace app was launched in September 2020. This was also the same in February 2021 due to lateral flow tests being more widely used.  

“The infrastructure team is scaling well; users are generally quite happy and in 2019, 2% of registrations resulted in support incidences. We have insight teams looking at how we process and manage this. That 2% of incidents has translated into 300-350 per week which is a lot more manageable for the team.  

“As we return to ‘normal’, I don’t think online healthcare will go away. The demand is there and the accessibility and ease for GPs for example is also there. With NHS Digital a GP could possibly see you at a moment’s notice.  

“What’s next? Well, we are aiming to allow patients to be able to change doctors on NHS Digital and enable GPs to put in requests. The service is free to use and only available in for NHS England patients, at the moment. I believe it will massively benefit the healthcare system. There are some interesting times ahead for this program.” 

Q&A session

Q: “Do you think the experience of ‘heavy identity’ turns people away?” 

A: “It is one of the challenges for the users who have to go through this process. They might not have an ID document that they can provide. We are forever testing to try and improve those experiences to the users.” 

Q: “How easy was it to get social media through/overline” 

A: “That product prototype did not make the cut. We must remember that anyone can make a social or Google account – there is no verification on them. You can’t insist two-factor authentications are used on these, so it was not ideal for the NHS brand.” 

Q: “Are you finding take-up is different in age groups?” 

A: “We have carried out research and concluded that 75% of those over 65 years of age did not use the digital service. It is something we are testing and constantly educating users on.” 

ClinOwl sponsored our opening keynote with NHS digital. With over 30,000 articles organized into over 30 clinical specialties and sub-specialties to date. ClinOwl provides a wider, wiser view for busy healthcare professionals and researchers worldwide.