NHS has lost thousands of smartcards

Over four thousand smartcards used to access NHS computer systems have gone missing, according to reports in a medical publication.

Pulse, a magazine for GPs, requested the statistics under the Freedom of Information Act. The information it received from National Health Service's (NHS) IT group Connecting for Health (CfH) showed 4,147 smartcards had gone missing since the systems were implemented. Some 1,240 disappeared in the last year alone.

Not all were misplaced, either. At least 142 were stolen, with 17 appropriated from Hammersmith and Fulham Primary Care Trust. Pulse said one trust in ten had no idea how many cards had gone missing.

So far, such cards have been issued to just under half a million NHS staff, but Pulse said that number will eventually pass 1.2 million.

The missing smartcards could not necessarily be used to access any NHS computers, however. Like most smartcard systems, the card is just one part of the two-factor authentication required to access computers. CfH said their cards require a six-digit pin code.

A CfH spokesman told the BBC: "There is no evidence that any security breaches have ever arisen from lost of stolen cards."

CfH also said any cards reported stolen or missing had been disabled. But Pulse claimed: "In almost every case, lost or stolen smartcards were reissued automatically without investigation, and no disciplinary action has been taken against any staff member."

The smartcard system is part of the National Programme for IT - one aspect of which is a UK-wide records system. Such a records system was recently panned by doctors as insecure in a recent survey by the British Medical Association.

Pulse's deputy editor Richard Hoey told the BBC: "The real message here isn't how many smartcards are being lost, but how many trusts are failing to keep proper records or gear themselves up to deal with security breaches."

This latest security problem is just the latest in a line of UK data breaches. With that in mind, security analysts came down hard on the NHS and its processes.

"It seems to me that there's a lot of best practise, which is well understood by industry, and supposedly mandated by government... but nearly every breach clearly would have been prevented if people had followed best practise," said Mike Small, director of security management for CA.

Small said the key to this latest trouble is how the technical objects are controlled, suggesting process is the most important. "If you have smartcards, how do you manage them?" he asked.

"My concern about this is that organisations can be lulled into a sense of security by what seems to be very strong technology," Small said. "But the weakest point is still the weakest point... and that's often the human aspect."

Despite the lost cards, such a system is necessary, said Paul Malcolm, UK general manager Sentillion, a healthcare identity management firm.

"Smart cards give health workers access to the centralised database of patient records, and while this does seem to create a security concern, it is important to keep perspective and remember that this system has been introduced to give patients a greater quality of care," he said.

But he added that a second authentication method was vital. "Of course it is also important to make sure that all this private information is only available to the correct people, and this is why the second factor of authentication is so critical," he said.

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook