Post-it notes for passwords - an NHS option?

My colleague Philip Virgo who blogs for Computer Weekly and is Secretary-General of the Parliamentary and IT industry body Eurim, sent me a comment earlier this month which raises important matters. 

He pointed out that NHS consultants may have to keep track of dozens of passwords which change regularly – and those who may be able to help with lost passwords tend to keep office hours only.

Virgo says:

“Little black books and post-it notes are the only option if you are not to resort to the ultimate sin of shared pass-words – when your professional indemnity insurance (and thus your future employability let alone your reputation) depends on what is done in your name.”

This raises an interesting question which has never been satisfactorily answered: How can the need for health information to remain confidential be reconciled with big NPfIT databases of medical records and the password-sharing, post-it-note culture of the NHS?

Medical consultants can argue that their priority is treating patients and sometimes saving their lives. Should they spend less time on patients and more on the management of their passwords?

In short, big NPfIT databases of health information may be a good idea made impractical by the security culture of the NHS.  This basic weakness should have been properly thought through – and wasn’t – before the NPfIT was announced.

It’s unlikely that the password-sharing culture will stop because of the National Programme for IT. What will change is that hundreds of thousands of NHS staff will be able to access much larger databases than before. If the NPfIT ever works.

To this Whitehall officials would say that NPfIT databases are much more secure than paper records and there’s always an audit trail. But audit trails don’t work when passcodes are shared.


Philip Virgo’s blog – Computer Weekly 

Password-sharing hinders probe into serious blunder – IT Projects blog

Endemic sharing of passwords – Computer Weekly July 2006