I know that this isn’t supposed to be a blog for passing comment on the news and that you are all reading this because of my detailed expose of everyday life at the sharp end of risk management. However, I saw this article on the front page of Computer Weekly and couldn’t resist taking a swipe of my own. Here’s the headline:
An NHS trust board has approved the sharing of smartcards, in breach of security policy under the £12.4bn NHS National Programme for IT (NPfIT), because slow log-in times would restrict the time of doctors treating emergency patients.
This short sentence and few words says much more that the words alone. It says that there can be no guarantee of the identity of someone accessing private records; it says that the integrity of log files and audit records is compromised because it can never be proven who accessed what and when; it says that there is a compromised accountability for the use of private data; it says that there is a blatent disregard for privacy and controls that are usually in place to mitigate the risk of privacy being violated. It also says that the system was not designed taking into account the requirements of a busy department to access data as expediciously as it needs to hence the perception of a need to circumvent security.
It’s a disturbing story. What disturbs me most is the retort of “the monitoring process revealed no breaches of security.” Monitoring what? It’s a breach of security every single time a smartcard is shared. Those words alone make me go pale because they demonstrate a total lack of regard for process within an environment where privacy is critical.
I’m not finished yet on this one.