…serious weaknesses in controls over access to patient data, with more than 4,000 NHS smartcards already missing and one in 10 trusts admitting they had no idea how many cards had been lost or stolen.[From Pulse – The GP’s website – MPs told of new patient record breaches]
Many years ago, at a meeting of the Parliamentary IT Committee (PITCOM), I asked the then head of the programme, former management consultant Richard Granger, how security would be maintained in a system with more than a million users and I was told (rather abruptly, as I recall) that I shouldn’t worry about it because top security boffins had taken care of it, and that smart card would be required to access everything, and audit trail would be kept and so forth. Well,
The national rollout of the Summary Care Record is to take place this year and speaking during a debate over the committee’s inquiry into the rollout, Labour MP Keith Barron revealed examples where NHS workers breaching security controls had gone unpunished. Admitting he had previously believed the BMA to be scaremongering over the issue, he described one case in which no action was taken by a PCT after an employee gained access to identifiable patient information by persuading a district nurse to disclose her username and password.[From Pulse – The GP’s website – MPs told of new patient record breaches]
Wait a moment! What happened to the smart card that would be required to access identifiable patient information? The system started off by requiring an unrealistic level of security, millions of pounds were spent trying to build it, and then they went back to usernames and passwords? This does not bode well for other giant databases full of personal information that will be kept secure (through mechanisms as yet unknown to science) despite having hundreds of thousands of users.