Password-sharing hinders probe into serious blunder

The sharing of passwords on a hospital x-ray system at a hospital in Devon has made it difficult to identify which doctor wrongly verified the treatment of a patient who died after a blunder.

The case sheds light on the collison between culture of the NHS – where the sharing of passwords is said to be common practice – and the high security needed when NHS staff and doctors access large databases of confidential patient information under the £12.7bn National Programme for IT [NPfIT].

Password-sharing in the NHS – which has been highlighted in case studies published in Computer Weekly – is said to be endemic partly because space for computer screens in wards is limited, as is time for clinicians to log in and out.

Officials at NHS Connecting for Health who help run the NPfIT have said that national systems are more secure than paper records, in part because audit trials show who has viewed what patient records.

But in the latest instance of password-sharing the audit trials caused some confusion because several clinicians were sharing the same passwords. The result is that investigators at Derriford Hospital in Plymouth in Devon have been unable to identify a doctor who was involved in the care of Muriel Elliott.

She had a feeding tube wrongly inserted into her lung instead of her stomach and died 13 days later, in September last year. Mrs Elliott was in her late 70s. She was in hospital after suffering a stroke following heart by-pass surgery.

A hospital investigation, the results of which have been shared with the local coroner, could not establish which doctor had viewed an electronic x-ray image and had told nursing staff that the nasal gastric tube was in the correct position before Mrs Elliott was transferred to the Acute Stroke Unit.

A report prepared by Derriford Hospital’s legal department in relation to the case was leaked to BBC’s regional news programme “Spotlight” and the Herald newspaper. They said that the doctor who checked the position of the tube had not made a record of it in the patient’s notes. And the doctor whose password was used to view the stored x-ray image was not working at the hospital at the time.

Two other doctors who were on duty when Mrs Elliott’s x-ray was verified knew the password but denied they approved the tube’s positioning.

Mrs Elliott had an x-ray at 30 minutes after midnight and a nurse on the stroke unit asked a Senior House Officer to check the position of the feeding tube on the x-ray image. The log identified a doctor who had viewed the image at 0328 – but it appears that doctor gave his password to a Senior House Officer, a female doctor.

However the stroke unit nurse said the x-ray was checked by a man. At 0730 the nurse began feeding Mrs Elliott through the tube.

The report by the hospital’s legal department said: “Despite a thorough investigation involving several members of staff, it has not been possible to identity the doctor who verified the position of the NGT [nasal gastric tube].”

The hospital uses a picture archiving and communication system [PACS] and “CRIS” Radiology Information System which were installed in 2006 under the NPfIT. The PACS system is linked by the N3 broadband network to a remote data store, with access to images through workstations and web-based PCs.

The local police “Major Crime Investigation Team” has been called in. Police officers have met Paul Roberts, the chief executive of the Plymouth Hospitals NHS Trust, who assured them of support and co-operation. Trust staff have put together a small team of senior staff to support the inquiry.

Brian Gerrish, Mrs Elliott’s son-in-law, told the BBC:

“This is absolutely incredible… Derriford does not know who the doctor was that made a clinical decision that resulted in a death and it’s possible it could have been somebody who just walked in off the street, because they have no idea.”

A statement issued by Plymouth Hospitals NHS Trust said: “The Trust has stringent policies and guidelines concerning patient confidentiality and the use of its IT systems. We expect all staff to work according to these policies and any breach of security is investigated and appropriate disciplinary action taken whenever necessary.”

It added: “This case has been subject to a full investigation within the Trust and the results and recommendations of that investigation have been shared with the coroner. The case has recently been referred to Devon and Cornwall police and enquiries are at an early stage. At this time it is not appropriate for the Trust to comment further.”

NHS Connecting for Health said: “Individual users sets their own passcode which may not be shared with anyone else. Password sharing represents a misuse of a system and the Department of Health published a joint statement along with the GMC and the Information Commissioner, which made it clear that from policy, professional and legal perspectives there is zero tolerance on such behaviour.”


Staff at Derriford Hospital learned some useful lessons from the go-live in 2006 of picture archiving and communication system [PACS] and radiology information systems [RIS]

This is part of a presentation given in 2006 on the “difficult implementation of PACS” at Derriford Hospital by a clinical radiologist:

Some of what went well

  • Project roll out to schedule despite tight time scale
  • Project delivered within budget
  • Phased roll out maintaining imaging capacity
  • Dedicated implementation team
  • Support from, networks, estates, and hospital IT
  • Equipment scoping close to requirements
  • WebPACS is well liked and trouble free
  • Migration of data from old RAD/Agfa system – but at a cost

Some of what went badly

  • Suppliers unprepared for a hospital of this size and complexity
  • Inadequate system training from supplier
  • No integrated training on the whole system prior to implementation led to many problems particularly related to workflows and generation of unspecified and split examinations
  • Training given was much too long before go live date
  • Inadequate system support from supplier after implementation – little activity until trust staff shouted
  • No provision for support in contract
  • Fujitsu Help desk time-consuming and frustrating
  • Slow speed of system [Log in times averaged 10 minutes and community log in times of 45 minutes]
  • Size of Radiology IT team too small [Overwhelmed by technical problems and requests for training/support following implementation]
  • Roll out of radiology information system more time consuming than expected
  • Level of support from clinicians outside radiology variable during the difficult early days following roll out, expectations perhaps unrealistic
  • More contribution needed from users inside and outside radiology
  • Workflows inadequately thought through
  • Lack of sharing of problems and solutions with other hospitals
  • Problems with image sharing with other hospitals

Some of the complications

  • Real clinical risk
  • Serious impact on reporting throughput
  • Workstations incorrectly setup not automatically displaying Doppler ultrasound images


NHS Trust uncovers password-sharing risk to patient data

Smartcard sharing by an NHS trust – a breach of IT security or a practical way around slow access to the NHS Care Records Service?

Smartcard sharing at South Warwickshire Hospitals NHS Trust – comment by Martyn Thomas

North Bristol NHS Trust – policy of passwords

NPfIT – getting a bit complex?


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I can be sympathetic to the frustration at having to wait even 2 minutes never mind 10 to Logon, but this truly is a matter of life and death. If Bar Staff can lock/unlock the Cash Register in Seconds, why can't the Medical Staff have a BarCode or SwipeCard to gain immediate access. A physical token would also prevent everyone logging on as the doctor who wasn't even working at that hospital.

Swipecards, physical tokens and barcodes are good ideas: quick and practical.

The difficulty is that they would have to work within the inflexible frame of a national programme for IT.

Sorry to bring politics into it but the ability of NHS Connecting for Health and the Department of Health to take on new ideas is limited.

This is mainly because National Programme for IT is in essence a monolithic national plan that's designed years behind planned completion. CfH and the department have spent 6 years building the foundations for the world's tallest skyscraper. They cannot easily change parts of the design now.

What they could do is be less ambitious and use the foundations (the IT infrastructure) to build lots of smaller separate structures with linked pathways.

Ministers could then sacrifice having a world-famous national programme which immortalises them by making their ambitions manifest to future generations, and instead go for something much simpler that the NHS wants and needs.

It's not too late to take on new ideas and technologies. It simply needs ministers and David Nicholson, the NHS's Chief Executive, to say they're willing to do things differently from now. Tony Collins

There is a solution to slow logon, logoff times....Sun Rays. Remove the smartcard and the session is suspended (not logged off). Insert it again and re-enter the PIN and the session is resumed immediately.

The problem is not with the NPfIT infrastructure, but more with the local computing capability. Traditional PC's are not designed to enable rapid logon and logoff - Sun Rays are.

While this clearly illustrates that the NHS is not complying with the requirements of the Data Protection act to take all reasonable measures to protect and secure confidential information by implementing a standard biometric or RFID staff authentication system the clinical priority for medical staff to access clinical information to provide care needs to be recognised. What would have been the headline if the unamed doctor had not even been able to access the X-ray because they did not have a personal password? I suppose they could not then have made the mistaken interpretation that it was in the right place but rather the patient could then have died of starvation and no food at all!!

If even a fraction of what has been spent on CfH had been invested in a proper workable staff authentication solution together with a proper robust Role Based Access Control Model this would not have happened. This is something that does need to be done natioanally in standard format as clinical staff are mobile between sites.

We need to do something and we need to do it now and bringing in the 'Major Crime Investigation Team' is not the solution! After all we are told the other doctors also knew the shared password and the implication is clearly that they used it. Password sharing for these systems is the norm in the NHS across the UK.