The UK's largest NHS trust has discovered endemic sharing of passwords and log-in identifications by staff, recording 70,000 cases of "inappropriate access" to systems, including medical records, in one month.
The Leeds Teaching Hospitals NHS Trust said there was a "wholesale sharing and passing on of system log-in identifications and passwords" and it warned that uncontrolled access "presents a considerable risk to the security of patient data" and consequently puts the trust at risk.
The Leeds trust is the largest in the UK and includes the biggest teaching hospital in Europe. It has a budget of £730m, employs 14,000 people across eight sites and treats about one million patients a year.
A management paper to the trust's main board, dated 6 July, said that in one month alone "70,000 examples were detected of inappropriate access of IT systems by trust staff". The paper added, "This took the form of wholesale sharing and passing on of system log-in identifications and passwords. The system misuse was widespread across departments, sites and disciplines."
Doctors said the sharing of codes which give access to NHS systems and medical records was an ingrained practice within the NHS. This culture was recognised as a threat to the confidentiality of medical records which are due to be uploaded from local systems to a national data spine under the NHS's National Programme for IT (NPfIT).
Under the NPfIT, sensitive information on 50 million people in England is due to go online, although this has not happened yet. NHS managers can discipline staff after a breach has occurred - but they cannot stop it happening.
Last year, in answer to a parliamentary question from MP Richard Bacon, the then health minister Liam Byrne confirmed that a number of smartcards issued under the NPfIT to GPs in Essex had the same personal identification number for every user.
Leeds trust is expected to introduce a new security policy which it said "aims to ensure proper control over the granting of access to trust systems and data".
● Problems with a BT-built NPfIT system to track NHS childhood vaccinations could be putting children at risk, according to the Health Protection Agency. In the independent agency's Communicable Disease Report, it said that national trends on vaccination were not available for the third consecutive quarter because of problems implementing the system. The vaccination system had no information on 51,500 children in London.
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats