Join the Community

23,967

Expert opinions

40,637

Total members

363

New members (last 30 days)

198

New opinions (last 30 days)

29,264

Total comments

Join Sign in

Password sharing in the National Health Service

02 June 2008 1 comment

Keith Appleyard

IT Consultant

available for hire

Full story available at http://www.computerweekly.com/Articles/2008/05/30/230883/password-sharing-leaves-nhs-audit-trail-in-tatters.htm

Investigators have been unable to trace a doctor involved a medical blunder that ended in a patient's death because staff in a Devon hospital had been sharing passwords. The doctor whose password was being used was not working at the hospital at the time.

Password sharing in the NHS is said to be endemic partly because it has been reported that Login times could be as long as 10 minutes – whereas if everyone shares the same Login & Password for the shift, then with continuous access every minute or so no-one ever gets timed out.

Bar & Restaurant Staff have to continuously have to Logon & Logoff from the Cash Register – but they achieve this in seconds using Tokens such as BarCodes or Magnetic Stripes.

Why couldn’t the NHS give every Doctor & Nurse a Tesco Clubcard-style Badge on a Keyring, and they could swipe in & out that way in a matter of seconds – after all this really was a matter of life and death, and we don’t even know who was negligent.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

5096

Report

Channels

/security /regulation & compliance

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.

Join group

481 opinions 20 members 14 July 2025

Comments: (1)

Stephen Wilson Managing Director at Lockstep Consulting

03 June 2008

The inclination to share passwords is the bane of many policy wonks' existance. It arises naturally when humble users seek work-arounds to improve their day-to-day workplace situation. A culture of work-arounds is especially prevalent throughout healthcare technology (not just health IT) as smart professionals working in close teams with dozens of 'machines that go ping' strive to get the most out of their equipment and to compensate for all-too-common shoddy user interfaces.

In the specific case of computer logon, we're all caught up in the transition from username+password to something smarter and more robust. I am one of those that has great belief in smartcards, because of their power as holders and notarisers of personal credentials, and also because they are so intuitive. We have all been trained for decades to pop a card into a slot, enter a password, and get things to happen. It's the most natural form factor for computer logon (perhaps using contactless cards in many hospital settings, with or without PIN depending on the application concerned). Response times in smartcard log-on should be near instantaneous. The practical deployment of systems like Sun Rays is encouraging, where telecommuters enjoy added features like session portability, which is a huge benefit in healthcare.

The dreadful logon delays in the new NHS systems I think has something to do with the centralisation of healthcare professionals' credentials. There is a two-stage process of first identifying a user, followed by extracting their authorisations from a central repository. IMHO credentials are better secreted in the smartcard, notarised by digital signature, so that remote systems can rely on their 'pedigree' without referring in real time to central mission critical gateways that must be engineered with stupendous availability and bandwidth so as to limit bottlenecks.

Cheers,

Stephen Wilson.

Report