Having slated an NHS Trust in my blog yesterday for its misuse of smartcards, I was wondering how I would resolve the problem if it were up to me to manage the situation. Let’s review the problem: fast access is required to records however, the system doesn’t allow system users to gain access as fast as they need to in order for them to perform their jobs. The solution presently in place, as stated in the Computer Weekly article, is for smartcards to be shared – this enables the software to remain logged in and facilitate fast access to the necessary data.
The result is confidentiality at risk because anyone can access records without audit, and therefore integrity may be violated as a result. Lastly access is clearly an issue because of the system as it’s been implemented
So, can the sharing of smartcards, as described, be acceptable? The answer has got to be: perhaps. The most important things here are management and accountability, so if someone is sharing their card then that can be acceptable so long as a record is maintained of who it is being shared with and when. Here’s what I would do: make smartcard owners responsible for all transactions that occur using their cards and maintain a written log next to the terminal so that people making use of someone elses smartcard can quickly jot the time and their initials when they use the system. It’s a simple, low tech, cheap, solution that manages the risk.
You could argue that users of the system will simply forget to sign the book, or that a malicious user could still violate the system. That’s all true and you can never manage away all risk however, at some point you have to determine the point of acceptable risk given the constraints.
As the security manager I’m still not happy about smartcards being shared but at least risk is being managed and there is accountability. While all that is going on I trust there is also a plan to have the system modified so that these actions aren’t necessary for too extended a period. Risk mitigation actions in deviation from policy must have a clearly defined cut-off date otherwise what begins as a temporary measure ends up becoming acceptable practice.
Problem solved. Time to put the kettle on.