Smartcard sharing - a breach of IT security or a way around slow access to NHS Care Records?

If NHS security breaches, for practical reasons, occur when there is a database of health records on 50 million people in England, how much trust can be put in the integrity of new national systems?

Or perhaps top notch security is less important than making it easy for doctors to access a reliable electronic health record quickly.

When Connecting for Health first learned that the board of an NHS trust was allowing some of its staff to share smartcards, it made clear in a statement to Computer Weekly that it abhorred such a breach of security.

The agency’s statement said:

“The policy and guidance on NHS Care Records Service registration is unambiguous – smartcard sharing is considered misconduct and should be dealt with as such via local disciplinary procedures or through professional bodies. On receiving their smartcard, users sign to say they acknowledge those policies and agree to abide by them. All access controls are there to help local organisations implement proper governance of information access but at the end of the day it is a matter for local NHS organisations.”

By the time the general national news media followed up Computer Weekly’s article on the sharing of smartcards at South Warwickshire General Hospitals NHS Trust, Whitehall health officials seemed to be more understanding of the practice.

Responding to Computer Weekly’s article, Connecting for Health told the Press Association:

“There is no question of the confidentiality of patient data having been compromised by South Warwickshire General Hospitals NHS Trust. The security of patients’ information depends on two key factors: technical safeguards and the observation of procedures and rules by clinicians and staff. Connecting for Health has laid down clear procedural guidelines, backed up by strong technical safeguards, for the handling of patient information within the NHS. The Trust is aware of the need to revert to the normal policy framework for the use of smartcards and as these early issues relating to the speed of the application are resolved is it hoped this will happen in the near future. Responsibility for the security of patient information ultimately lies with individual Trusts, hospitals and NHS organisations. In the case of this Trust a small number of staff were authorised by the Trust’s board to share smartcards. These were all clinical staff, bound by their professional codes of confidentiality, operating in a secure non-public part of the hospital.”

Possibly this less harsh approach to the trust board decision to share smartcards was because Whitehall officials realised that South Warwickshire had little choice.

If they didn’t share smartcards, the work of the accident and emergency department would have slowed down, with doctors waiting up to 90 seconds every time they logged on and off.

What follows is a fuller version of the article that appeared in Computer Weekly. Links to the source material are at the end of this article.

An NHS trust board has approved the sharing of smartcards – a breach of security under the £12.4bn NHS IT programme – because slow login times would otherwise restrict the time of doctors who are busy treating emergency patients.

The decision of South Warwickshire General Hospitals NHS Trust raises a question of whether a key Care Records Service system installed under the National Programme for IT [NPfIT] has been supplied with busy hospital departments in mind.

The advantage of smartcard sharing is that it allows doctors to carry on their work as normal, without having to wait at PCs while clinicians log on and log off patient record systems.

The drawback is that it is a fundamental breach of IT security under the NPfIT programme because, with smartcard sharing, the system’s audit trail will not always identify every clinician who has accessed confidential patient information.

The smartcards provide access to a national data “spine”, supplied by BT, on which confidential patient data on 50 million people in England is due to be stored.

Connecting for Health, which runs the NPfIT has stated that smartcard sharing among NHS staff is “misconduct”. In a paper dated 26 July 2006, Connecting for Health said: “Smartcard sharing is considered misconduct and may result in disciplinary action.”

But South Warwickshire General Hospitals NHS Trust says that end-to-end logon times of new systems it installed under the NPfIT National Care Record System programme are too long for “high activity areas such as Accident and Emergency”.

The board of the trust has approved the sharing of smartcards in its Accident and Emergency department after it implemented an NPfIT patient administration system last month. The system was supplied by local service provider CSC and software company Isoft.

Duncan Robinson, Director of IT at the trust, told Computer Weekly that the trust has decided specifically in Accident and Emergency to depart slightly from what he called security “guidelines” and to allow the sharing of PC smartcards.

It means that two people- the shift leaders- use their smartcards for an entire shift, and share the use of their PCs with doctors who do not have to log in or off individually using their smartcards.

The trust is concerned that logging on can take up to 90 seconds and may involve several screens. Without smartcard sharing, doctors who are using a secure PC and are called away when accessing a file, may have to log off and on again when they return to the patient’s file.

Smartcard sharing means that, using the shift leader’s smartcard, more than dozen clinicians and nurses can access files on the machines without logging on and off each time. PCs logged into the new systems may be left unattended – but they are in a secure area not readily accessible by the public, says the trust.

The trust says that smartcard sharing has been risk assessed and involves closely monitoring data access and throughput. “The monitoring process revealed no breaches of security and/or patient confidentiality,” said Robinson.

Robinson added that Connecting for Health is “working with its suppliers to considerably reduce logon time.” When this happens to the satisfaction of the trust its “sharing policy will be reviewed.”

South Warwickshire General Hospitals is the first NHS trust to decide officially to share smartcards. Ross Anderson, Professor of security engineering at Cambridge University, says the practice of sharing security credentials is, however, endemic in the NHS. He said the sharing of smartcards indicates that there may be little or no accountability for unauthorised access to the records of 50 million people.

GP Paul Cundy, spokesman for the British Medical Association’s GP IT subcommittee said the actions of the trust “drive a coach and horses through the so-called privacy in the new systems.”

He added: “This is precisely what we have long predicted and shows that security systems, although highly specified on paper need to be tested and proven against live environments before they can be said to be secure.”

Peter Sommer, a member of the Advisory Board of the London School of Economic’s Computer Security Research Centre says the possible loss of a reliable audit trail may be one outcome of designing and installing a system that is “not good enough to cope with real life.”

South Warwickshire General Hospitals NHS Trust board paper on smartcard sharing – here.

South Warwickshire General Hospitals NHS Trust – Statement to Computer Weekly – here

Expert comment on smartcard sharing – here.