NHS staff have lost more than 4,000 smart cards that
allow them to access patient records, according to figures released
byConnecting
for Health(CfH).
Responding to Freedom of Information Act request from Pulse
magazine, CfH, which is in charge of the NHS's new £12bn IT system,
said 4,147 smartcards had been reported lost or stolen, 1,240 in
the past year.
NHS staff use the cards plus six-digit Pins to access
confidential patient records. Up to January 2008 the NHS had issued
smart cards to 429,691 NHS staff, about one-third of the expected
total.
A CfH spokesman said it was confident there had been no security
breaches. He said staff are required to report lost or stolen cards
immediate to enable the NHS to cancel them.
Mike Small, director of security management strategy at
CA, said the best practice processes
and procedures needed to avoid incidents like this are set out in
government guidelines such as ISO 27001. "Perhaps there is a call
for a combination of incentives and penalties to be implemented to
make sure these best practices are actually followed," he said.
Small said strong authentication was not enough unless there was
also a strong process to manage ID lifecycles. "Organisations need
a rigorous registration and de-registration process as well as
regular audits of employees' identity and access rights," he
said.