Smartcard sharing - comment by Martyn Thomas

Martyn Thomas, one of the 23 computer scientists who have called for an independent review of the NHS’s National Programme for IT [NPfIT], has questioned how one part of the health service has ended up with smartcard sharing.

His comments were prompted by Computer Weekly’s disclosure that the board of South Warwickshire General Hospitals NHS Trust has approved smartcard sharing for some clinicians. The reason for the apparent breach of security is that doctors in a busy A&E department do not have time to log on every time they need to access a PC that provides links to the patient administration system and the Care Records Service, a key part of the NPfIT. It can take up to 90 seconds to log on,

When our article was followed up by the national and regional press, Connecting for Health, which oversees the IT element of the NPfIT, issued a statement that appeared to give qualified acceptance to smartcard sharing.

Martyn Thomas says:

“If sharing smartcards is secure, it should have been in the security policies from the start. If context switching can be unacceptably slow, there should have been explicit upper limits for the time allowed, stated unambiguously in the specifications. So: did the specification omit this essential requirement (in which case, what other essential requirements have been overlooked?); or did the output-based specification state a time limit that has not been achieved? Or did the output-based specification specify a time limit that was too long in practice (in which case, what else have they got wrong by failing to prototype adequately before letting contracts?).”

Martyn Thomas is a Visiting Professor in Software Engineering at Oxford University.