Authentication, authorisation and security in Core

Dunmail -

This article describes the authentication, authorisation and security of Black Pear's Core app when providing Care Plans and Care Record capabilities.


By default, Core uses Black Pear's BP Auth service ( to authenticate users.

Users are authenticated using a unique user identity (their email address) in conjunction with a password.

Credentials cannot be used for authentication until the user has verified their identity and set a strong password. Password strength is checked using Dropbox's zxcvbn library and only passwords that are estimated to take more than 10^10 attempts to guess are allowed.

Passwords will expire after 90 days and a new password must be chosen; this cannot be one of the previous 12 passwords used. If users forget their password then they can simply and easily request a reset link to be sent by email; this allows them to choose a new password:

Passwords are salted and hashed using an NHS approved algorithm before being stored in a secure database managed by Black Pear.


Core authorises users by using Black Pear's Warden service ( to provide robust, token-based authorisation.

Service administrators can assign a role to each user within each Core service. Users may have different roles on different Core services.

Role based access control (RBAC) is used to control users' access to system functions within the app and data within services. Users cannot access any system functions or data without having first authenticated and selected their role.


Care Plans are stored in a service-specific Mongo DB replica-set located in a Virtual Private Cloud provided by Amazon Web Services in the EU (London) Region. The private cloud is connected to HSCN by Redcentric in accordance with an approved Logical Connection Architecture. Redcentric are an NHS HSCN aggregator with IGSoC. Black Pear operate an ISO27001 certified Information Security Management System that meets the requirements of NHS Data Security and Protection Toolkit.

All data are encrypted at rest using disk-level encryption with approved cryptographic algorithms (AES-256) and only authenticated access is permitted. Data are encrypted in transit using TLS with approved cryptographic algorithms (AES-256). Data are backed up to a geographically separate location at least every 24 hours.

Audit logs record all access to the Core services. Audit logs are retained for the duration of the service contract and returned to the data controller at the end of the contract.


Core authentication, authorisation and security combines industry best practices with relevant NHS requirements including:

  • IG Requirements for GP Systems V4
  • Password Policy for Non-Spine Connected Applications GPG
  • Approved Cryptographic Algorithms GPG

Source code for service authorisation using JWT and HL7 FHIR is published online at:


Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk