Smartcard access policy change

1

Dilly - Dally

28 Oct 08 13:10

Marvelous - Considering the amount of work put into developing this functionality across numerious applications - I imagine that Cerner and iSOFT must be thrilled at the prospect of chaniging it all?

---

2

Expectation management?

28 Oct 08 14:10

There may be more to this story. However taken at face value this policy does seem to undermine the vaunted medicolegal, forensic and security features promised for CfH systems.

"A doctor" negligently prescribed an harmful drug to the patient. "A manager" inappropriately accessed the detailed patient record of a member of staff. "A physiotherapist" opened the patient's sealed envelopes....

Perhaps this pragmatism reflects the remote prospect of such clinical functionality appearing in CfH systems?

Besides, how hard can it be to issue individual swipe cards to three Brummy podiatrists?

---

3

Just Not Thought Through!

28 Oct 08 15:10

Individual security credentials protect confidentiality, integrity and access to information with appropriate accountability. Credentials protect as well as offer accountability. I certainly would not want to be selected for governance reasons as a an individual in a group who hold a post. Perhaps we could have one post for all consultants, one for all nurses, etc?

What happened to role-based security, legitimate relationships and patient envelopes? Can't deliver again?

Hey Ho! Back to the drawing board!

---

4

Online behaviour should be monitored

29 Oct 08 00:10

Why not just have one access level and then monitor user's behaviour? Every NHS Employee with a logon should be subject to a set of rules about data access and confidentiality. Then each user's behaviour could be monitored in the same way that Barclaycard monitors a user's spending habits and rapidly identifies aberrant spending. Then each user only needs to justify his behaviour e.g. my secretaries would soon be seen to look up blood test results, PowerChart "Problems and Diagnoses", discharge summaries and letters.

Another consulant's secretaries might never look up blood results - so as soon as one of them looked up results and alert could be sent to the line manager, asking the secretary to justify that behaviour. This would allow real flexibility in roles, and trust in NHS Staff, and security in identifying the aberrant behaviour. New users could have their behaviour habits reviewed by the line manager after say 4 weeks in role.

---

5

Correction - existing controls are retained

29 Oct 08 08:10

All

The underlying role based access control attributes (job role, areas of work and activities) are retained so that the approach is completely transparent to applications which will therefore not need modifying.

Position Based Access Control, as indicated in the article ' posts may be filled by many members of staff, position-based access control should mean a significant reduction in administration costs and a more consistent allocation of access rights.

There is no lessening of the existing or planned access controls

Dr Colin Fincham Progamme Manager Access Control NHS CFH

---

6

A logical move forward

29 Oct 08 09:10

Having been involved in the National Workshops looking at this, I find myself in a strange position of actually defending NPfIT for a change. As mentioned in the article the concept of position based access is probably in use in most places already.

The idea is based on the fact that most organisations will have set positions, e.g. receptionist, ward clerk, nurse, etc who will have different access requirements within that position. If you employ an individual as a receptionist then they automatically inherit all the access levels needed to be a receptionist.

They are still given an individual smart card, for their individual access that will be logged and audited against any transaction. It simply means that as someone moves into a post, then the post defines the level of access.

This takes away the need for sponsors to understand the different levels and gives some consistency. The second reason why this is being done is to link in with the ESR system. Positions are already used in ESR and eventually ESR and SUD will be integrated. This actually adds to security.

Imagine you have a nurse on ward who has quite a high level of access (due to the position). They hate being a nurse so apply for a job as a receptionist within the same hospital. They are successful and start their new job as a receptionist the next week. On the ESR they are moved from the nurse position to the receptionist position. They instantly lose all the access levels of the nurse and inherit the access levels of the receptionist. No RA02, no sponsors, no delay. Now isn't that more secure?

---

7

Re: Correction - existing controls are retained

29 Oct 08 10:10

The confusion in the article which unfortunately persists in Dr Colin Fincham's clarification is whether there will (still) be

A. one card issued per individual [human], where the card represents a unique identity on the system and which only that individual should ever use. The card is never shared even with other individuals doing the exact same job. When the individual leaves that job the card [unique identity] is not reused

or

B. One card issued per group of individuals [say nurses on a given ward] OR multiple cards issued with a shared generic identity. Either way transactions appear on the system log as simply "Nurse on Coronary Care Unit".

Option B is closer to the "one card stays logged in all day and everyone uses the terminal" approach which has been used "informally" but destroys medicolegal and audit trails.

Please can Dr Fincham clarify further.

---

8

Clarification

29 Oct 08 11:10

All

To support the obligations of the NHS Care Record Guarantee it is essential that an individual access can be identified therefore (a) is correct

'one card issued per individual [human], where the card represents a unique identity on the system and which only that individual should ever use. The card is never shared even with other individuals doing the exact same job. '

The last sentance however is incorrect 'When the individual leaves that job the card [unique identity] is not reused '

The identity can be reused as can the Smartcard, but the access rights associated with the job they are leaving are removed and when they start a new job the new access rights are allocated. The individual is still the same person having had their identity proven beyond reasonable doubt when first issued with a Smartcard (e-GIF level 3).

Where the individual no longer needs access to NHS CRS applications then their identity should be closed and their Smartcard destroyed

Hope this clarifies the situation

Dr Colin Fincham Programme Manager Access Control NHS Connecting for Health

---

9

Comment is free

29 Oct 08 12:10

Reading at the comments one gathers that people are once again taking digs at the solution providers! I wonder how many of the commentators are NHS informatics staff?

It is not that the system of role based access control too unwieldy nor is it that the providers could not design the solution. The truth is that the staff in NHS did not want to adopt the system! Some staff did not want their access rights culled where as other did not want to take on the additional workload that new roles would entail.

We all bemoan about the inefficiency and poor service ( I never for a moment believe that NHS gives poor service - I think it is the most wonderful health care system any where in the world!) that we all receive from the NHS and how good the systems in USA are.

However, do we for once stand back and realise the fact that the staff of the various healthcare organisations in USA have such complex roles? How much more 'paper work' do they do? And despite that, carry out their 'medical' duties? One thing for sure is that they do not clock in and clock off!

So in short, 'physician heal thyself'!

---

10

Re: Re: Corrections

29 Oct 08 13:10

Thanks to Dr Colin Fincham for his clarifications.

Access control is - of course - somewhat hypothetical as the chances of anything materialising through CfH to be accessed appear to be increasingly remote.

Good to know, though, that someone at CfH is thinking through the "what if" scenarios!

(post edited by EHI)

---

11

General misunderstandings

30 Oct 08 10:10

Given that the vast majority of users actually have no idea how the security model works, it's hardly suprising there is some level of misunderstanding. A smartcard dictates WHAT you can do; a work group/legitimate relationship says WHO you can do it to.

The vast majority of NHS staff fall neatly into catergories (Nurse, Ward clerk, Health care assistant etc), so instead of setting each individual nurse with an identical profile to the next nurse, set just one profile for all nurses). These can then be individually tweaked for the occasional nurse who needs slightly different access to all the others.

Therefore when someone is employed as a ward clerk for hospital X, to work in directorate A, on wards B & C, her individually authorised smartcard will say that she (Betty Boop) is allowed to perform her role as a ward clerk (her position-based profile) and which organisation she is allowed access to (hospital X). She will have been electronically placed by her RA agent, into the appropriate workgroup for wards B & C within the parent workgroup for Directorate A. Therefore she can ONLY access and work on the records for those patients with whom she has a legitimate relationship i.e. patients on wards B&C in Directorate A.

The same will apply to anyone holding a "generic" role, whether it be a nurse, a doctor or a porter. Their access level will be set for the post, but they will still have individual logins, and the audit trail will still show who has done what. It simply makes the initial set up a bit easier.

---

12

What's new?

andrew.beaumont@nhs.net

30 Oct 08 22:10

What is the difference between a job role and a position?

---

13

Job role vs. Position

31 Oct 08 13:10

It is simply a case of 'abstraction': currently if Betty Boop moves into a new job role, then the NHS Sponsor has to define exactly what she can/cannot do and what workgroups she belongs to for the Registration Authority staff to enact; with 'position', the rights and workgroups are all predefined, so all the NHS Sponsor has to do is to say that 'Betty Boop is to be a Receptionist Class 1' (whatever that may mean) with consequently fewer likely slip-ups and much easier administration.

It also means that a 'position' can be more carefully defined and authorised in advance without the rush of defining a job-role when bank staff are brought in on an emergency shift. Links with the Electronic Staff Record is a definite bonus too.

Would people asked questions first before shooting from the hip - though perhaps it is much more fun that way! Not all Greeks are liars, nor is everything that emerges from CfH necessarily stupid or incompetent.

---

14

Broken

31 Oct 08 14:10

The old model was too difficult, so they're changing (for the second time!) to a simpler one with less control.

We might as well stay with user tables within existing systems, and just concentrate on creating a single sign-on.

At least that would stop the clinic receptionist logging into and corrupting, say, the A&E system using the institution-wide 'receptionist' position-based access rights.

---

15

Unix permissions

31 Oct 08 17:10

Sounds more like the Unix permissions set. Everyone has a user id which allows them to have access to items that they individually own (in a permissions sense). Now CfH have introduced group permissions where members of a particular group such as nurse, doctor, receptionist can be allocated access to functions that are approproiate for that group. I presume the individual is still identifiable.

Now what we need is to add in location, ie access is also determined by the location you are connecting from as most access is needed from users within a five mile radius but should be denied to those more that 20 miles away. This simple procedure would greatly enhance security in combination with the others and should not be difficult to implement.

---

16

Confusion Abounds!

02 Nov 08 14:11

As the author of 'Just Not Thought Through!' and aHealth Informatics person with many thousands of computerised care record service users, I fear that we are dressing up the obvious as though it were new. The problem is confusion over NHS terminology and IT terminology.

If I understand the clarification correctly, everyone will have a unique identification, that is, individual security credentials. The individual will belong to a role based security group such as clinic administrator, theatre nurse, radiographer, etc. The base screen after login will be tailored to the role and perhaps user preference.

Having spent years ensuring adequate audit trails by individual and eliminating group accountability except for functions that have no clinical or corporate accountability, I would not want to see systems that confuse individual accountability.

Security and accountability are getting harder and tougher to implement at work, with care partners, and on the move or at home. Single signon with context-free application use across multiple systems is also a challenge.

Can we have some clarity of the direction of travel please.