Stephen Wilson - Lockstep Consulting - Sydney 03 June, 2008, 02:53 0 likes

The inclination to share passwords is the bane of many policy wonks' existance.  It arises naturally when humble users seek work-arounds to improve their day-to-day workplace situation.  A culture of work-arounds is especially prevalent throughout healthcare technology (not just health IT) as smart professionals working in close teams with dozens of 'machines that go ping' strive to get the most out of their equipment and to compensate for all-too-common shoddy user interfaces. 

In the specific case of computer logon, we're all caught up in the transition from username+password to something smarter and more robust.  I am one of those that has great belief in smartcards, because of their power as holders and notarisers of personal credentials, and also because they are so intuitive.  We have all been trained for decades to pop a card into a slot, enter a password, and get things to happen.  It's the most natural form factor for computer logon (perhaps using contactless cards in many hospital settings, with or without PIN depending on the application concerned).  Response times in smartcard log-on should be near instantaneous. The practical deployment of systems like Sun Rays is encouraging, where telecommuters enjoy added features like session portability, which is a huge benefit in healthcare.

The dreadful logon delays in the new NHS systems I think has something to do with the centralisation of healthcare professionals' credentials.  There is a two-stage process of first identifying a user, followed by extracting their authorisations from a central repository.  IMHO credentials are better secreted in the smartcard, notarised by digital signature, so that remote systems can rely on their 'pedigree' without referring in real time to central mission critical gateways that must be engineered with stupendous availability and bandwidth so as to limit bottlenecks.

Cheers, 

Stephen Wilson.