The UK's largest NHS trust has discovered endemic
sharing of passwords and log-in identifications by staff, recording
70,000 cases of "inappropriate access" to systems, including
medical records, in one month.
The Leeds Teaching Hospitals NHS Trust said there was a
"wholesale sharing and passing on of system log-in identifications
and passwords" and it warned that uncontrolled access "presents a
considerable risk to the security of patient data" and consequently
puts the trust at risk.
The Leeds trust is the largest in the UK and includes the
biggest teaching hospital in Europe. It has a budget of £730m,
employs 14,000 people across eight sites and treats about one
million patients a year.
A management paper to the trust's main board, dated 6 July, said
that in one month alone "70,000 examples were detected of
inappropriate access of IT systems by trust staff". The paper
added, "This took the form of wholesale sharing and passing on of
system log-in identifications and passwords. The system misuse was
widespread across departments, sites and disciplines."
Doctors said the sharing of codes which give access to NHS
systems and medical records was an ingrained practice within the
NHS. This culture was recognised as a threat to the confidentiality
of medical records which are due to be uploaded from local systems
to a national data spine under the NHS's National Programme for IT
(NPfIT).
Under the NPfIT, sensitive information on 50 million people in
England is due to go online, although this has not happened yet.
NHS managers can discipline staff after a breach has occurred - but
they cannot stop it happening.
Last year, in answer to a parliamentary question from MP Richard
Bacon, the then health minister Liam Byrne confirmed that a number
of smartcards issued under the NPfIT to GPs in Essex had the same
personal identification number for every user.
Leeds trust is expected to introduce a new security policy which
it said "aims to ensure proper control over the granting of access
to trust systems and data".
● Problems with a BT-built NPfIT system to track NHS childhood
vaccinations could be putting children at risk, according to the
Health Protection Agency. In the independent agency's Communicable
Disease Report, it said that national trends on vaccination were
not available for the third consecutive quarter because of problems
implementing the system. The vaccination system had no information
on 51,500 children in London.
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats