Access to National Healthcare Systems: The deadline for action is getting closer
NHS England has introduced a new depreciation timeline for CIS1, requiring trusts to move completely to CIS2 by 28 February 2027, when access to CIS1 will be removed. Andrew Harrison, Director, Product Management - International at Imprivata, discusses the drive for more secure access to electronic patient record systems that is affecting hospitals in the UK and across Europe. Importantly, he explains how healthcare organisations can migrate to these new systems despite limited resources while also maintaining legacy systems.
On 1 October 2025, NHS England reduced the support level for the CIS1 Authentication service from platinum to silver service level agreement (SLA), underlining the fact that support for the CIS platform is now limited, making it ever more critical that Trusts have a migration plan.
Withactivity from cybercriminals continuing to escalate globally, healthcare organisations across the UK and Europe are faced with the huge challenge of providing clinicians and healthcare professionals with secure and fast access to patient and clinical information systems. In most cases, clinicians need to access a mix of both local and national IT systems to provide safe, efficientand effective patient care, which can mean having a separate identity for each. This often adds significant complexity to the clinician’s workflow.
In addition to this, many national healthcare systems provided by central government bodies are outdated and in need of significant updates to keep pace with modern standards for protecting sensitive information, as we are seeing with the UK NHS.
With this in mind, governments in many countries across Europe (including the UK) are introducing new guidelines and requirements for managing critical national infrastructure, which includes healthcare. In the EU, this manifests in NIS2 requirements, and in the UK, the National Cyber Security Centre is advising organisations to move to their Cyber Assessment Framework (CAF).
Governments throughout the UK and Europe are migrating their national healthcare systems to new modern and secure technology. No longer will it be adequate or acceptable for healthcare professionals to access sensitive patient information with just a username and password that can so easily be compromised. New government mandates are calling for increased security, including high assurance authentication to access both local and national health IT systems. This underscores the need for users to have fast, transparent access to critical systems and resources, while ensuring access is secure and compliant with new standards.
Separate identities for local and national access management
One of the key differences between clinicians in UK and Europe and the rest of the world is that they frequently have two identities. One for local system access at the hospital, and one for access to national systems, provided at government level. As already mentioned, these systems are accessed separately and create a significant additional overhead for clinicians.
National healthcare platforms were traditionally accessed using PKI and smartcards. This comes with clinical useability challenges, due to the technology involved. The current trend across Europe is that these national platforms are shifting towards modern open standards to keep pace with technology. This shift to new technologies opens a new world of useability and workflow potential, if appropriately deployed.
Enabling secure migration and compliance without disrupting care
IT departments across the UK and Europe are facing an increasingly complex challenge. They must protect against escalating cyber threats, meet tightening regulatory requirements, and modernise access to national systems all while maximising existing investments and operating with limited resources.
The scale of the CIS1 to CIS2 migration alone is significant. Add to that the need to maintain legacy systems, support shared devices, and ensure clinicians can continue delivering care without disruption, and the pressure becomes clear.
Is it possible to strengthen security, support compliance, and improve usability at the same time?
The short answer from Imprivata is yes.
How Imprivata can help: Using Enterprise Access Management as the foundation
Imprivata’s Enterprise Access Management (EAM) platform has long supported healthcare organisations with single sign-on (SSO) and authentication management designed specifically for clinical environments.
EAM provides fast, secure access to the devices, applications and workflows clinicians rely on every day. It integrates deeply with electronic patient record (EPR) systems and other clinical applications to support fast, “no-click” access where appropriate. It also enables secure re-authentication for in-application workflows such as medication administration, witnessing, and break-the-glass access.
Importantly, EAM connects users across a broad range of devices such as traditional workstations, thin and zero clients, mobile devices and even medical devices. It supports multiple authentication options including proximity badges,facial recognition, phone-based tokens and hands-free authentication, helping organisations align security requirements with real clinical workflows. This is critical to ensuring that identity and access infrastructure scales alongside regulatory changes and digital transformation.
Extending seamless, secure access to national systems
Building on this foundation, Imprivata National Access enables seamless access to national government systems such as the NHS Spine. Access to these systems is critical to delivering safe and coordinated care, yet historically they have introduced additional workflow and usability challenges.
Over time, practical improvements have demonstrated that national-level security controls do not need to come at the expense of clinical efficiency. In 2016, for example, Imprivata addressed NHS Spine smartcard usability challenges by introducing Spine Combined Workflow, reducing smartcard insertions from 10–20+ times per shift to just once.
In 2020, during the COVID-19 pandemic, when remote working made physical smartcard use impractical, we introduced Virtual Smartcard technology to remove hardware dependency while maintaining secure access during remote access sessions.
Now, as national platforms shift from legacy PKI infrastructure to open standards such as OpenID Connect (as seen with CIS2), Imprivata has evolved its approach accordingly so Trusts can continue accessing CIS1 applications while planning a phased migration to CIS2, using the same authenticators and maintaining seamless clinical workflows throughout the transition.
Meeting the high assurance authentication requirement
High assurance authentication as required by CIS2 is a robust method, often using multi-factor authentication, that provides a high degree of confidence that the user attempting access is who they claim to be, crucial for securing sensitive data and systems.
High assurance authentication will be a key requirement for accessing both local and national healthcare IT systems. However,many authentication solutions are designed around a traditional “one user, one device” model. Healthcare environments are fundamentally different. Devices are shared. Clinicians roam. Workflows are fast-paced.
Imprivata’s approach is designed specifically for these realities, enabling high assurance authentication that works within shared device and follow-me desktop environments without introducing unnecessary friction.
Top considerations for choosing a secure authenticator
As assurance levels increase, healthcare organisations should carefully evaluate authentication methods against clinical requirements. Important considerations should include:
- Does it work on all devices?
- Does it work on shared devices?
- Do you have to issue one device per user?
- Will clinicians have to carry multiple authenticators for different solutions?
- Will clinicians have an array of software/hardware authenticators? Will that be confusing for them?
- Is the authenticator generic or specialised to healthcare workflows?
- Does the authenticator belong to a proven identity and access management suite specifically designed for healthcare?
Selecting the right approach now can reduce complexity later, particularly as regulatory requirements continue to evolve.
Planning a successful transition to CIS2
Time is running out. On 1 March 2026, CIS1 will no longer have an SLA and will be supported on a 'reasonable endeavours' basis. NHS England will be scaling down infrastructure and support significantly.
By 28 February 2027, CIS1 Authentication will be removed from operational service.
Transitions to CIS2 need to be planned now. With Imprivata Enterprise Access Management, trusts can continue to use Imprivata Virtual Smartcards for CIS1 while planning a phased move to CIS2-native National Access. This enables trusts to access local and national information, including NHS Spine, while providing the single sign-on access that clinicians depend on.