Smartcard security concerns
Connecting for Health is investigating widespread lapses in security stemming from misuse of smartcards used to access Choose and Book and other IT systems, writes Ian Cameron.
The organisation in charge of NHS IT reforms admitted the problems could pose a threat to patient confidentiality.
Anecdotal evidence includes clinicians and reception staff asking colleagues to look up information on their behalf; GPs not logging out before going on home visits and card holders writing passwords on cards.
Connecting for Health said it had completed an analysis of card use at one hospital in Sidcup, Kent, but was beginning a more fundamental review.
In the meantime its National Access Control Team is working with providers to improve log-on times, to allow more rapid transition between staff accessing the data spine.
'It should be recognised that access to NHS Care Records is fundamentally about changing behaviour and this is not achieved overnight, but practical steps are being taken,' it said.
Professor Mike Pringle, a GP clinical lead for the programme, admitted the importance of smartcard security had 'not necessarily been well-explained to people who hold them'.
He said: 'Many cards were issued without education being explicit. Documents were signed but many didn't read them properly. Training was not as
explicit as it should have been.'
Dr Paul Colbrook, a medico-legal adviser at the Medical Defence Union, said doctors had a duty to protect confidential information from improper disclosure and allowing others to access confidential information was a clear breach of GMC best practice rules. Sharing of computer log-ins if not smartcards per se had already shown dangerous precedent.
Dr Colbrook added: 'We are aware of doctors who were not working on a particular day having to assume liability because the audit trail shows their log-in had been recorded against an entry, and they could not provide evidence to show they had not been present.'
Dr Grant Ingrams, deputy-chair of the GPC's IT subcommittee, said: 'The people who designed it did not understand clinical practice.'