NHS Password Sharing and Business Requirements

I was reading with interest Tony Collin’s blog on password sharing in the NHS. In my view the problem is that the system being used was not designed to take into account the way that the customers need to access information. If somebody had bothered to observe and ask about the way that doctors work on the wards then the system would have taken their requirements into account. I’m making a rash and unqualified assumption here but I’ve seen plenty of examples where new systems are planned by over-enthusiastic CIOs intent on making their mark but then fail because they forgot to account for the simple fact that nobody actually asked for it!

Recently I was chatting with the IT manager from a branch office of a large organisation. His company has recently implemented a new regional network. Employees within the office are in some disarray because prior to the new network being implemented they were using MSN Messenger for video conferencing with clients. With the new network it’s banned under the security policy. Now, I’m not going to get into an argument about what the security risks may or may not be. In fact, it’s irrelevant. The reason being that usage of this application was a business requirement and somebody should have taken that requirement into account. The fact that they didn’t means a work-around has to be found. It’s work-arounds that cause the security issues – and that’s precisely what has happened with the NHS system.