Introduction: A catalogue of User Journeys “putting the person first” in Identity Management strategy and solutions- Updates on the NHS England Technology Forum and Lab
Over a year has passed since my last article here, a delay due to wide-ranging organisational changes and relative uncertainty in the NHS and its context. As a consequence of the merger of several organisations, NHS England is now more compact, leaner and more prepared to serve as a vehicle for the positive transformation we all expect from this notable, unique institution.
Now, the effect of consolidation and of the changes in organic responsibilities is quieting down, and the teams are more settled around the tasks set out around the construction of the New NHS. The arrival of a new UK Government has not only confirmed this path, but also added some focal points to our activity, and –if anything–has made some transformational drivers even more urgent.
Not surprisingly, the previous objectives of the Identity and Access Management Architecture area have not changed (the reader can see a description of those in my previous two articles). In fact, despite the lack of communication through this channel, the I&AM area continued working consistently and late last year we were able to get approval for a new project focused on Architecture.
The project –the NHS IAM Technology Forum and Lab— was launched earlier this year (2024) with the goal to study “technology interoperability” and new patterns of Identity Management, looking into the NHS as a complex interconnection of organisations, user populations and security challenges. Contrary ot the conventional approach leading to partial, “point” solutions, we started working with current and potential NHS technology suppliers investigating how to blend and connect the existing infrastructure into a better, more coheret network of systems.
Slowly, the list of participating technology partners grew to over a dozen companies, and we have been holding monthly brainstorming and technical sessions focused on what we call “interoperability of IAM solutions“.
This approach is innovative and has great potential for various reasons:
- Despite the recognised, key importance of Staff, Worker, Patient and Citizen digital identities for the delivery and improvement of Health Services, there are persistent problems in the conceptualisation, design and implementation of the technologies supporting Identity and Access Management services.
- These problems –in the big picture– manifest as a pervasive fragmentation of Identity Management projects, which then affects key programmes of the NHS organisations.
- The consequences of this are the persistence of the “logon burden” across all staff and worker types, the prevalence of “point solutions” -resulting in excessive implementation and operation expenditures-, the lack of interoperability of the services and the slow adaptation to the increasing demands and pressures to enable front line personal and support the drive towards productivity and time release.
- Fragmented, divergent efforts to remedy this situation increase the confusion and the inertia of the IAM infrastructure.
- A key aspect of the current inconsistent approach to the design and implementation of IAM solutions is the conflation of Identity Processes under the assumption that users have a “single” digital identity: There is a pervasive issue where identification, authentication, authorisation, and permission management processes are often mixed together and embedded into single, monolithic solutions.
- This mix-up leads to the development of point solutions that are inflexible, siloed, and unable to adapt to different use cases. These solutions also restrict the reusability of identity management components, resulting in higher operational and re-engineering costs and inefficiencies.
- The NHS’s current approach has resulted in the creation of siloed identity management solutions that are tied to specific user groups or applications. This not only limits the scope of these solutions but also leads to the suboptimal use of technologies, as different systems are unable to interoperate effectively, but also to reach their full potential. The inability to integrate across different identity solutions further exacerbates the challenges of managing identities at scale within the NHS.
- Point solutions and the logon burden –in turn– increase the risk of malpractice in the use of smart-cards, password management and user provisioning, thereby affecting the general Security position of the NHS organisations.
- The project will round up its work early in 2025 with a collection of guidelines and patters to addressing the probles here indicated and proposing a coherent, general model through which the processes of inception, design, implementation and operation of IAM services can be guided across all user scenarios and all organisational levels of the NHS.
- Short-Sighted Tool Design, Implementation and Operation: In our rush to address specific identity and access management challenges, we tend to create solutions that are too specialised and narrowly focused, solving only immediate, individual use cases. These tools often combine multiple capabilities in a way that limits their adaptability and evolution over time.
- This short-sighted approach hinders the ability to create next-generation tools, as these overly specific solutions cannot easily evolve to meet new demands or be repurposed for different contexts.
- To truly embrace the principles of software engineering, such as single responsibility and reusability, it is crucial that we design tools that are flexible, modular, and capable of evolving to address a broader range of future needs. Failure to do so will result in a stagnant ecosystem where tools are used sub-optimally or where the NHS becomes locked into outdated technologies that cannot support ongoing innovation.
We are producing detailed technical studies of IAM interoperability and practical examples that will be available for Trusts, ICSs, ICBs and also for central organisations, to streamline, simplify and enhance their respective infrastructures and services. In addition to these technical materials, we have developed a complete catalogue of “Identity Modalities” and “Personas” (an approach which supersedes de conventional concept of “use cases”), so that not only the Forum participants, but any technology supplier and any potential NHS partner will be able to understand the requirements of our organisation and the key problems we need to solve.
My next articles here will summarise the outcomes of the IAM Technology Forum and Lab so that a wider specialist public can have the opportunity to contribute. On this basis, I invite the interested readers to contact me by email at carlos.trigoso@nhs.net with any queries and suggestions.
You must be logged in to post a comment.