CIS1 to CIS2 migration exposes clinical identity access gaps

At a glance

What this is: NHS England’s CIS1 sunset is forcing healthcare identity teams to modernise clinical access without disrupting care delivery.

Why it matters: It matters because clinicians still need fast access across shared devices, local systems, and national services, while IAM teams must raise assurance and reduce workflow friction at the same time.

By the numbers:

• On 1 March 2026, CIS1 will no longer have an SLA and will be supported on a 'reasonable endeavours' basis.
• By 28 February 2027, CIS1 Authentication will be removed from operational service.
• In 2016, Imprivata reduced Spine smartcard insertions from 10–20+ times per shift to just once.

👉 Read Imprivata's guidance on CIS1 to CIS2 migration for clinical access

Context

CIS1 to CIS2 migration is an identity and access governance problem before it is a platform change. When national healthcare access depends on legacy authentication, shared devices, and separate local and national identities, the result is operational friction that can weaken both security and clinical workflow.

The CIS1 timeline now forces trusts to prove they can move clinicians onto higher assurance access without creating parallel sprawl across legacy and modern systems. That pressure sits squarely in IAM, PAM, and lifecycle governance, because access has to remain auditable and usable while the old service is retired.

For healthcare organisations, the real test is whether identity architecture can absorb a mandated migration while preserving patient-care continuity. That makes this a programme issue for NHS access teams, not just a technical cutover project.

Key questions

Q: How should healthcare organisations manage CIS1 to CIS2 migration without disrupting clinical access?

A: They should treat the migration as an identity governance programme, not a one-time technical swap. That means mapping every CIS1 dependency, validating CIS2-ready authentication on shared devices, and coordinating provisioning and offboarding across local and national systems so clinicians keep uninterrupted, auditable access during the transition.

Q: Why do shared clinical devices complicate high assurance authentication?

A: Shared devices break the assumption that one user owns one endpoint for long periods. Clinicians move between workstations, hand over care, and re-enter applications quickly, so authenticator design has to support roaming, re-authentication, and session continuity without creating unsafe shortcuts or repeated manual steps.

Q: What breaks when healthcare access is split between local and national identities?

A: The organisation inherits duplicate lifecycle work, inconsistent assurance levels, and harder auditability. If local and national access are managed separately, teams can lose sight of who has what entitlement, which increases the chance of stale access and forces clinicians into more complex workflows.

Q: Who is accountable for securing CIS2 access during the transition period?

A: Accountability sits with the healthcare organisation’s identity, infrastructure, and clinical application owners together, because the risk spans authentication, workflow design, and service continuity. CIS2 readiness is only real when the access path is secure, usable, and governable across the full clinical estate.

Technical breakdown

Why CIS1 to CIS2 creates a clinical identity transition problem

CIS1 and CIS2 represent different access assumptions. CIS1 depended on older authentication patterns, while CIS2 is moving toward modern open standards such as OpenID Connect and higher assurance authentication. In healthcare, that change matters because clinicians often work across shared workstations, mobile devices, and national services, with separate identities for local and central systems. A migration plan has to reconcile those layers without forcing users into extra logins or hardware dependency. The technical challenge is therefore not only federation, but also workflow continuity across mixed assurance paths.

Practical implication: inventory every clinical access path that still depends on CIS1 and map it to a CIS2-ready authentication route before support disappears.

High assurance authentication in shared clinical environments

High assurance authentication means the organisation can trust the user identity at a higher level than password-only access. In hospitals, that usually involves multi-factor or device-bound authenticators, but those controls must work in shared device environments where a clinician may move between workstations during a shift. The clinical issue is that a control designed for one user and one device can fail when staff roam, hand over care, and use break-glass or in-application re-authentication. Good design here reduces security exceptions without adding extra delays at the bedside.

Practical implication: test authenticator behaviour on shared devices, follow-me desktop sessions, and break-glass flows before enforcing CIS2 requirements.

Why national access needs lifecycle governance, not just authentication

National access programmes often create identity duplication if local and central credentials are managed separately. That duplication increases the chance of stale access, inconsistent assurance levels, and hard-to-audit exceptions. Lifecycle governance matters because the same clinician identity may need different entitlements across local EPRs and national systems, but those entitlements still need provisioning, review, and retirement in a controlled way. Open standards can improve portability, but they do not remove the need to govern who can reach what, under what assurance conditions, and for how long.

Practical implication: align provisioning, review, and offboarding processes across local and national healthcare identities so CIS2 does not create a second identity estate.

NHI Mgmt Group analysis

CIS1 retirement is a lifecycle governance event, not a simple authentication upgrade. The support reduction and eventual removal force trusts to prove that identity governance can carry clinicians through a staged migration while preserving access continuity. That is a lifecycle and assurance problem at the same time, because the old access path is being withdrawn before every clinical workflow has a stable replacement. Practitioners should treat CIS1 sunset as a governance deadline, not a technology refresh.

Healthcare identity programmes still fail when they assume one user, one device, one journey. Clinical access is shared, mobile, and time-sensitive, so access models built around fixed endpoints do not survive real ward operations. This is where the control model and the operational model diverge, and the result is either user friction or uncontrolled workarounds. Practitioners need to re-evaluate whether their access architecture matches how care is actually delivered.

National access and local access must be governed as one identity estate. When separate identities exist for local systems and government systems, the organisation inherits duplicated assurance, duplicated lifecycle work, and duplicated audit burden. That duplication is manageable only if provisioning, re-authentication, and retirement are coordinated across both domains. The practical conclusion is that migration planning must include governance integration, not just protocol compatibility.

Clinical workflow friction is a security control issue, not a user-experience side effect. If clinicians must interrupt care to satisfy access controls, they will pressure teams toward exceptions or informal workarounds. The right question is not whether the workflow is convenient, but whether it can preserve strong assurance without driving unaudited access paths. Practitioners should measure friction as part of control effectiveness, not after deployment.

High assurance authentication for healthcare must be evaluated against care delivery reality. Controls that work in office IAM programmes can fail on shared wards, roaming clinicians, and mixed-device environments. That makes the healthcare access model distinct from standard enterprise SSO, even when the underlying standards look similar. IAM leads should benchmark controls against clinical workflow, not desktop assumptions.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Fragmented control is also common: organisations maintain an average of 6 distinct secrets manager instances, which undermines centralised governance, according to The State of Secrets in AppSec.
• For a broader lifecycle view, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should stay aligned during platform migration.

What this signals

Clinical identity programmes should expect migration pressure to expose hidden governance debt. When a legacy access service is retired on a fixed timetable, every exception, workaround, and duplicate identity path becomes visible. That is why the control question shifts from whether CIS2 is supported to whether the organisation can retire CIS1 without leaving unmanaged access behind.

Identity teams should use the migration window to collapse duplicate access models. Separate local and national credentials increase lifecycle burden and audit complexity, so the transition is an opportunity to consolidate entitlement logic and remove unnecessary identity sprawl. The right destination is a single governance view across clinical systems, not two parallel access estates.

The NHI Mgmt Group view is that healthcare access modernisation is only successful when assurance and workflow are designed together. If one is improved at the expense of the other, users create exceptions that reintroduce risk through the back door.

For practitioners

• Map all CIS1-dependent access paths Build a complete inventory of clinical workflows, applications, and national services that still rely on CIS1 authentication, including shared devices and break-glass use cases.
• Align local and national identity lifecycle processes Ensure provisioning, access review, and offboarding are coordinated across hospital systems and national services so clinicians do not carry parallel identities longer than necessary.
• Test high assurance authentication on ward realities Validate authentication methods on shared workstations, thin clients, mobile devices, and follow-me sessions before enforcing CIS2 requirements.
• Design a phased CIS1 to CIS2 cutover Keep operational continuity by sequencing legacy support, user migration, and application readiness so clinicians are not forced into unmanaged exceptions.

Key takeaways

• CIS1 retirement turns clinical access into a governance deadline, because trusts must modernise authentication while preserving care continuity.
• Shared devices and dual identities make healthcare access harder to secure than standard enterprise SSO, so migration plans must account for real ward workflows.
• The control that matters most is coordinated lifecycle governance across local and national systems, because duplicated identity estates create avoidable audit and access risk.

Key terms

• High Assurance Authentication: Authentication that gives a higher level of confidence in the user’s identity than password-only login. In healthcare, it usually combines stronger factors, device context, or approved authenticators so staff can access sensitive systems securely without turning clinical work into a manual checkpoint.
• Clinical Identity Estate: The full set of identities, credentials, and access paths used in care delivery across local and national systems. It includes clinician accounts, shared-device access patterns, and retirement processes, all of which must be governed together to avoid fragmentation and audit gaps.
• Phased Identity Migration: A controlled transition from one access model to another while both old and new systems still operate. The goal is to preserve service continuity, reduce risk, and retire legacy access only after replacement workflows are validated in production conditions.
• Shared Device Access: A model where multiple users authenticate on the same endpoint across shifts or locations. It is common in clinical environments and demands access controls that support rapid sign-in, re-authentication, and session handover without assuming a personal device per user.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: CIS1 to CIS2 migration and secure access for UK healthcare. Read the original.