Smartcard access policy change
- 28 October 2008
NHS organisations are to be encouraged to switch from role-based access control to position-based access control for National Programme for IT in the NHS applications.
NHS Connecting for Health, the agency that runs the national programme, says position-based access control has been used informally by several NHS organisations for at least 18 months.
A spokesperson told EHI Primary Care: “Current developments enable this approach to be formalised and dedicated guidance and tools will be provided to support its wider deployment.”
Position-based access control defines access rights by post within an organisation. A user assigned to a position will become a member of relevant workgroups.
CfH argues that since posts may be filled by many members of staff, position-based access control should mean a significant reduction in administration costs and a more consistent allocation of access rights.
It says there are about 26,000 sponsors in NHS organisations who require training in role-based access control, and that this number will be reduced by the introduction of position-based access control.
The spokesperson added: “The existing governance around granting of access rights and workgroups is retained and built on. Staff may only be assigned to a position by a manager who has been granted specific responsibility for that position.
"For example, a ward manager would only be able to assign users to the ward clerk and ward nurse positions on their own ward.”
As well as making the access control system less unwieldy, position-based access control is also designed to eliminate the development of workarounds.
CfH has also issued guidance to users of the NHS secure network on the use of temporary smartcards when staff lose, forget or break their cards or need to provide services in a location or role for which they do not have an appropriate access profile.
It says the latter situation should be solved by the introduction of position based access control.