NHS staff have lost more than 4,000 smart cards that allow them to access patient records, according to figures released by Connecting for Health (CfH).
Responding to Freedom of Information Act request from Pulse magazine, CfH, which is in charge of the NHS's new £12bn IT system, said 4,147 smartcards had been reported lost or stolen, 1,240 in the past year.
NHS staff use the cards plus six-digit Pins to access confidential patient records. Up to January 2008 the NHS had issued smart cards to 429,691 NHS staff, about one-third of the expected total.
A CfH spokesman said it was confident there had been no security breaches. He said staff are required to report lost or stolen cards immediate to enable the NHS to cancel them.
Mike Small, director of security management strategy at CA, said the best practice processes and procedures needed to avoid incidents like this are set out in government guidelines such as ISO 27001. "Perhaps there is a call for a combination of incentives and penalties to be implemented to make sure these best practices are actually followed," he said.
Small said strong authentication was not enough unless there was also a strong process to manage ID lifecycles. "Organisations need a rigorous registration and de-registration process as well as regular audits of employees' identity and access rights," he said.