CIS1 to CIS2 migration: what it means for clinical access teams

TL;DR: NHS England’s CIS1 support reduction and planned removal by 28 February 2027 force UK trusts to move to CIS2 while keeping clinicians connected to local and national systems, according to Imprivata. The real issue is not just migration speed, but whether identity controls can preserve secure, low-friction access across shared devices and mixed legacy environments.

NHIMG editorial — based on content published by Imprivata: CIS1 to CIS2 migration and secure access for UK healthcare

By the numbers:

• On 1 March 2026, CIS1 will no longer have an SLA and will be supported on a 'reasonable endeavours' basis.
• By 28 February 2027, CIS1 Authentication will be removed from operational service.
• In 2016, Imprivata reduced Spine smartcard insertions from 10–20+ times per shift to just once.

Questions worth separating out

Q: How should healthcare organisations manage CIS1 to CIS2 migration without disrupting clinical access?

A: They should treat the migration as an identity governance programme, not a one-time technical swap.

Q: Why do shared clinical devices complicate high assurance authentication?

A: Shared devices break the assumption that one user owns one endpoint for long periods.

Q: What breaks when healthcare access is split between local and national identities?

A: The organisation inherits duplicate lifecycle work, inconsistent assurance levels, and harder auditability.

Practitioner guidance

• Map all CIS1-dependent access paths Build a complete inventory of clinical workflows, applications, and national services that still rely on CIS1 authentication, including shared devices and break-glass use cases.
• Align local and national identity lifecycle processes Ensure provisioning, access review, and offboarding are coordinated across hospital systems and national services so clinicians do not carry parallel identities longer than necessary.
• Test high assurance authentication on ward realities Validate authentication methods on shared workstations, thin clients, mobile devices, and follow-me sessions before enforcing CIS2 requirements.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• The migration sequence for CIS1 to CIS2 across legacy and modern healthcare access paths.
• The practical differences between smartcard-based access, virtual smartcards, and OpenID Connect-based access.
• Clinical workflow examples showing how high assurance authentication can work on shared devices without blocking care.
• The specific access considerations Imprivata raises for trusts planning phased migration while maintaining NHS Spine access.

👉 Read Imprivata's guidance on CIS1 to CIS2 migration for clinical access →

CIS1 to CIS2 migration: what it means for clinical access teams?

Explore further

View Full Forum →  |  NHI Foundation Course →