NHS CIS2 Integration

Need help with NHS CIS2 Integration?

Whether you're developing a new digital health product or extending an existing solution with NHS CIS2 integration, 6B brings the technical expertise, healthcare insight, and experience needed to accelerate delivery.

Rebecca

Business Development

Get In Touch

Or call Rebecca on 0113 350 1290

Discover more Interoperability and Integration services

NHS API Integration Primary Care EHR Integration Secondary Care EPR Integration

6B delivers seamless, standards-based integration with the NHS Care Identity Service 2 (CIS2), helping your application meet NHS requirements for authentication while enhancing the user experience for clinicians and care staff.

Understanding NHS CIS2 and Smartcard Authentication

The NHS Care Identity Service 2 (CIS2) is the national authentication platform for health and social care in England. It provides healthcare professionals with a secure and consistent way to access NHS Spine-connected systems, whether they are working in a hospital, GP practice, care home, or remotely.

Historically, access was provided via physical NHS Smartcards – used at fixed locations with dedicated hardware. While secure, this model presented barriers to mobility and flexibility. CIS2 builds on this by enabling modern, multi-factor authentication that supports both Smartcard access and flexible, device-independent authentication methods such as biometric login, QR code scanning, and password-secured logins.

CIS2 supports federated identity access via OAuth 2.0 and OpenID Connect (OIDC), allowing seamless integration with third-party clinical applications and workflows. This enables healthcare workers to access Spine services such as PDS, SCR, and EPS without compromising security or clinical efficiency.

Our NHS CIS2 Integration Process

At 6B, we work with you to design and implement a CIS2-compliant authentication flow that fits your application, end user environment, and regulatory requirements.

We begin by identifying your application’s authentication needs, user access patterns, and platform compatibility. Whether your users authenticate from fixed NHS locations using Smartcards or need to log in remotely via modern devices, we help you implement the right blend of authentication mechanisms.

Our developers integrate your system with NHS Identity services using OAuth 2.0 and OIDC, ensuring support for multi-factor authentication (MFA) and federated identity management. We configure secure access tokens, implement user consent flows, and ensure all authentication is compliant with NHS security policies and Spine requirements.

We also support integration with Smartcard-based workflows where required, enabling users to authenticate and access clinical systems using physical Smartcards and associated Spine services. Throughout development and deployment, we assist with testing, registration, and assurance processes to ensure your authentication solution is ready for real-world use in live NHS environments.

Benefits of NHS CIS2 Integration

Integrating with NHS CIS2 allows your application to deliver secure and user-friendly authentication, enabling healthcare professionals to access critical clinical systems quickly and reliably from any approved device or location.

With CIS2 integration, authentication becomes seamless – clinicians can log in using biometric methods or QR codes without compromising data protection or user accountability. Access to NHS Spine services becomes consistent across care settings, ensuring continuity of care even when users move between organisations or work remotely.

For NHS organisations, CIS2 improves governance, simplifies user provisioning, and enables wider adoption of digital tools without adding complexity to access control. For vendors, CIS2 integration ensures compatibility with NHS authentication infrastructure, streamlines onboarding, and improves trust with healthcare customers.

Why Choose 6B for NHS CIS2 Integration?

We have experience delivering CIS2-compliant solutions using OAuth 2.0, OpenID Connect, and NHS Smartcards. Our authentication integrations are built to NHS standards and aligned with real-world clinical use.

6B supports the full CIS2 integration lifecycle – from authentication design and platform selection to secure implementation, testing, and go-live. We manage stakeholder communication and NHS approvals throughout the process.

Whether your users rely on physical Smartcards or require modern, mobile-compatible authentication, we design flexible access flows that support both approaches in line with NHS security policies.

We are ISO 27001 certified, Cyber Essentials compliant, and experienced in delivering healthcare solutions that balance strict security requirements with intuitive user journeys.

We also deliver integrations with other systems and APIs like NHS Spine 2, NHSmail, MESH, GP Connect, SystmOne, EMIS, Cerner, and Epic – enabling us to ensure that your authentication model fits smoothly into a wider interoperable ecosystem.

NHS CIS2 Integration FAQs

What are the technical requirements for NHS CIS2 Integration in clinical applications?

To achieve a successful NHS CIS2 Integration, your application must support secure, standards-based authentication protocols—specifically OpenID Connect (OIDC) layered on top of OAuth 2.0. NHS CIS2 only supports the Authorization Code Flow, requiring your backend to securely manage a client secret or implement Private Key JWT for client authentication. You’ll also need to implement session management, support for access and ID tokens, and optionally configure back-channel logout to replicate Smartcard removal behavior.

Does NHS CIS2 Integration support multi-factor authentication (MFA)?

Yes. One of the key advantages of NHS CIS2 Integration is its built-in support for multi-factor authentication (MFA) across a variety of modern authenticators. These include Windows Hello, Microsoft Authenticator, security keys, iPads with biometric login, and more. This flexibility enables developers to tailor authentication to user needs and device capabilities, without relying solely on Smartcards or legacy systems.

How long does NHS CIS2 Integration typically take?

According to NHS England, the average onboarding time for NHS CIS2 Integration is around 3 months. However, timelines vary depending on internal resources and prior experience with NHS interoperability standards. Working with an experienced partner like 6B can accelerate the integration process, streamline approval, and help you avoid common pitfalls during configuration, testing, and compliance stages.

What environments are available for testing NHS CIS2 Integration?

NHS CIS2 provides a dedicated integration environment (INT) where developers can test their implementation against real authentication flows. This includes interaction with supported authenticators, access token issuance, and RBAC data retrieval via the UserInfo endpoint. The INT environment mimics the production setup closely, allowing you to validate your solution thoroughly before go-live.

Can I use NHS CIS2 Integration if my application is hosted outside of HSCN?

Yes. One of the modernisation benefits of NHS CIS2 Integration is its independence from the Health and Social Care Network (HSCN). CIS2 allows internet-based access through secure authentication protocols, meaning you can support remote or mobile users securely without being tethered to NHS network infrastructure—ideal for modern web apps, SaaS platforms, and cloud-native healthcare solutions.

How does NHS CIS2 Integration impact access to other NHS APIs and services?

NHS CIS2 Integration is a prerequisite for accessing several national services that require identity assurance, including the NHS Personal Demographics Service (PDS), Spine, e-RS, and Summary Care Record (SCR). By implementing CIS2, your application can securely authenticate users and retrieve role-based access control (RBAC) data—ensuring access permissions are aligned with clinical responsibilities and NHS policy.

What’s involved in demonstrating technical conformance during NHS CIS2 Integration?

To complete NHS CIS2 Integration, you must pass a technical conformance test in the integration environment. This involves demonstrating successful login flows, token exchange, session timeout handling, Care Identity button placement, and (if applicable) back-channel logout. You must also confirm that your application handles tokens securely and does not retain or misuse personally identifiable information (PII) beyond NHS specifications.

What are the long-term maintenance considerations after NHS CIS2 Integration is complete?

Once your application goes live with NHS CIS2 Integration, you must stay compliant with any future updates to NHS security policies or identity standards. This includes monitoring for monthly service releases, submitting updates to conformance responses when workflows change, and renewing any certificates or credentials used in client authentication. Partnering with a consultancy like 6B ensures your platform remains up-to-date, secure, and NHS-compliant over time.