Password-sharing - don't shoot doctors says clinical lead

Peter Curry, Clinical Lead eHealth, NHS Fife, makes some pertinent comments in response to an article on this blog about the sharing of passwords on a hospital PACS x-ray system.

He says the clinical priority for medical staff to access clinical information to provide care needs to be recognised; that password-sharing for these systems is the norm in the NHS across the UK; that resolution of this issue is a key priority within a national strategy and that shooting doctors and nurses for sharing passwords will be “counter productive as systems will not get used”. 

The blog article had said the sharing of passwords at a hospital in Devon had made it difficult to identify which doctor wrongly verified the treatment of a patient who died after a blunder.

The case shed light on the collision between a culture of password-sharing and the high security needed when NHS staff and doctors access large databases of confidential patient information under the £12.7bn National Programme for IT [NPfIT].

Password-sharing in the NHS is said to be endemic partly because space for computer screens in wards is limited, as is time for clinicians to log in and out.

Peter Curry writes: 

“While this clearly illustrates that the NHS is not complying with the requirements of the Data Protection act to take all reasonable measures to protect and secure confidential information by implementing a standard biometric or RFID staff authentication system, the clinical priority for medical staff to access clinical information to provide care needs to be recognised. 

“What would have been the headline if the unamed doctor had not even been able to access the X-ray because they did not have a personal password?  I suppose they could not then have made the mistaken interpretation that it was in the right place but rather the patient could then have died of starvation and no food at all!!

“If even a fraction of what has been spent on CfH had been invested in a proper workable staff authentication solution together with a proper robust Role Based Access Control Model this would not have happened.

This is something that does need to be done nationally in standard format as clinical staff are mobile between sites.

“We need to do something and we need to do it now and bringing in the ‘Major Crime Investigation Team’ is not the solution!  After all we are told the other doctors also knew the shared password and the implication is clearly that they used it.  Password sharing for these systems is the norm in the NHS across the UK.”

He added:

 “I think we have finally got NHS Scotland to accept that resolution of this issue is a key priority within national strategy.  It cannot be sorted out locally as clinical staff in particular doctors and nurses providing out of hours services are so mobile and work all over the place.  Shooting them for sharing passwords will be counter productive as systems will not get used at all.”


Password-sharing leaves NHS audit trail in tatters

NHS trust uncovers password sharing risk to patient data

Password-sharing in the NHS

NHS Connecting for Health admits smartcards were shared

Sir Bobby Robson’s electronic health records viewed illicitly by NHS staff