An unhealthy interest in databases

[Dave Birch] The National Health Service’s vast Connecting for Health programme has within it a fascinating identity management case study. In order to ensure the security of the system — which naturally includes sensitive medical records — the NHS decided to issue smart cards to all staff. Unfortunately, a recent assessment found

…serious weaknesses in controls over access to patient data, with more than 4,000 NHS smartcards already missing and one in 10 trusts admitting they had no idea how many cards had been lost or stolen.

[From Pulse – The GP’s website – MPs told of new patient record breaches]

Many years ago, at a meeting of the Parliamentary IT Committee (PITCOM), I asked the then head of the programme, former management consultant Richard Granger, how security would be maintained in a system with more than a million users and I was told (rather abruptly, as I recall) that I shouldn’t worry about it because top security boffins had taken care of it, and that smart card would be required to access everything, and audit trail would be kept and so forth. Well,

The national rollout of the Summary Care Record is to take place this year and speaking during a debate over the committee’s inquiry into the rollout, Labour MP Keith Barron revealed examples where NHS workers breaching security controls had gone unpunished. Admitting he had previously believed the BMA to be scaremongering over the issue, he described one case in which no action was taken by a PCT after an employee gained access to identifiable patient information by persuading a district nurse to disclose her username and password.

[From Pulse – The GP’s website – MPs told of new patient record breaches]

Wait a moment! What happened to the smart card that would be required to access identifiable patient information? The system started off by requiring an unrealistic level of security, millions of pounds were spent trying to build it, and then they went back to usernames and passwords? This does not bode well for other giant databases full of personal information that will be kept secure (through mechanisms as yet unknown to science) despite having hundreds of thousands of users.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights