PCT issues smartcards with identical PINs

Tags: booking Choose and Book GP GP2GP GPs PCTs Security

07 Jun 2005

A primary care trust issued smartcards to all its practices which had the same PIN for every user; and furthermore, the number was stuck on the back of every card.

A GP in Essex told members of the online GP-UK discussion group about the breach of security procedures for the Connecting for Health smartcards,which happened at a practice already using the system.

He wrote: "One of the practices I work at has gone live with the smartcard, using it you can get into Phoenix for the practice data without a user name or password.

"You just have to put in your card and pin, unfortunately to make life easy the PCT's IT department gave everyone the same PIN number and stuck it on the back of the cards, software to allow you to change the PIN is due to be rolled out 'soon' , meanwhile if you lose your card the PIN number is available to the 'finder' who can access the spine and anyone's details."

The discussion was immediately picked by Connecting for Health’s GP clinical lead Dr Gillian Braunold. She told the GP-UK forum: “I have alerted those in the highest levels of the agency to this breach and no doubt this will not be occurring again.”

Dr Braunold told EHI Primary Care that having a smartcard was an important part of the Connecting for Health system and teething problems were inevitable as the smartcards were rolled out to 1.2 million NHS staff.

She added: "In this particular case it was somebody not understanding what they were supposed to be doing. The cards have been withdrawn and reissued following the proper process and eGIF requirements. Thankfully no harm was done and it was put right very quickly. Mistakes will happen and we can learn from them."

PCTs across England are currently busy registering GPs for smartcards which will enable access to all Connecting for Health programmes including GP2GP transfer of records, electronic transmission of prescriptions and Choose and Book.

PCTs need to register 30 per cent of GPs for smartcards by the end of this month as part of the Choose and Book incentive targets which will enable them to receive £6,000 per average practice.

Dr Braunold said the Choose and Book software was under continual review and that the Connecting for Health clinical leads were feeding back the issues that the profession raises . She said more than 1,000 bookings have now been made using Choose and Book.

She added: "Those doctors and patients concerned are pleased with the way its going and I think we will see an incremental growth in confidence."

She said her own practice in Kilburn, north London, had signed up for Choose and Book and was waiting for local hospitals to release appointments so they could begin to use it.

She said she planned to book appointments with the software as part of the consultation for some patients where she thought it appropriate and refer the rest to the booking management service.

Dr Trefor Roscoe, a GP in Sheffield and member of the British Medical Association’s General Practitioner Committee, said he believed smartcards were the best way of regulating access under the circumstances and had been impressed with the way they had been set up.

He said it was still very early days for Choose and Book and that GPs needed to discuss the scheme with their PCTs and see whether it was in their interests to take part.

He told EHI Primary Care: “I think its too early to say whether it going to be good, bad or indifferent. The GPC are very worried about the time involved but people are listening to us and there is development going on.”

Reader's Comments

Why do we need a Card and PIN

hfdgp@aol.com

07 Jun 05 21:06

Oh dear, I hoped we were progressing surely we only need a card and a good security/audit system, we are not giving out money only poisons or am I being naive?

Chris Frith Hereford GP

Outraged or tickled?

08 Jun 05 10:06

Sorry folks, I know this is a serious subject, but on top of all the other NPfIT misgivings I've learned of lately I just had to laugh at this one. In fact, and somewhat ironically, it's given me such a laugh that it's made my week!

Portsmouth Area HOI

RE: Why do we need a Card and PIN

08 Jun 05 18:06

I don't think naivete was involved in this comment, just understanding or the lack thereof of what the cards actually do.

The card will be programmed with your job role and the organisation(s) at which you work. It is essential, therefore, that people don't share their cards and also essential that pins are unique. I can understand thet the PCT in question probably had many people forget their pins and, depending on how many staff members work at the organisation, It was probably anticipating a nightmare in deploying new pins. It is a mammoth operation.

They did miss the point, however, which is that PINs are designed to be personal. That's what the P stands for. So although the reasons seem valid, to maintain any confidence in the new systems (and the grass roots staff at the PCT must be scoffing at the security issues right now) the rules must be adhered to, however long winded the situation is.

The fact is that, in reference to this comment, the cards are cards (obviously) AND a good security system, if the implementation is handled correctly. Would you accept a duplicate PIN from your bank account? a duplicate Bank Account number? Of course not.

The fact that we're not giving out money is immaterial. To some people the confidentiality of their health records is worth more than money. It is episodes like this that undermine the entire program in the minds of the very people that is is designed to benefit.

Security

09 Jun 05 01:06

When an IT department screws up something so basic as this It Makes me wonder what the IT security is like in the area in genera (Email or the local PCT PAS system, for example)l it must be very lax hence patient data is already at risk this IT department needs to be investigated very carefully and it's security checked and perhaps a few senior managers wrists slapped for failing to ensure adequate staff awareness/training

Further to: Do we need card and PIN?

hfdgp@aol.com

09 Jun 05 13:06

Thanks for your comment:

I agree data is more important than money but I suppose what I meant to say was easy access is important to the health workers. I would prefer biometric ID and the same ID to be used for our clinical software. I trust healthcare workers to not need PINs but only if they can see the origin of the data and know that security checks are occuring in the background-this is not dissimilar to ordering goods on the internet?

Chris Frith Hereford (Worried C&B will not work as practicalities do not appear to have been fully considered yet.)

Pushing water uphill

10 Jun 05 09:06

I work for a software company who provide compliance solutions for financial/healthcare/mortgage and military institutions. We have deployed secure solutions all around the world and include the US military amongst our large clients.

My point, well....we can get to speak to large non-UK government organisations and we have no problems working within the UK private healthcare sector but can we get anywhere in the NHS.....no chance whatsoever. Too small, too cheap, not one of the big consulting firms, etc etc.

And who do they choose, people who allow smartcards with identical PINS and with the number written on the back.

We stopped trying to push the water uphill and now just watch and laugh!

Card and PIN

10 Jun 05 09:06

Would it be too cynical to suggest that the rush to hand these cards out was linked to the incentive payment?

Going through the registration authority process certainly IS time-consuming and may seem a little beaurocratic. But it's based on the well established principle that to gain access you need two things: something that you have (the card) and something you know (the PIN). The RA process clearly documents the need for staff to choose a pin at the time the card is issued. Maybe it would be less concerning if Choose and Book was the only application affected - but this is the security framework for the whole care record system.

There does need to be a certain degree of trust shown in healthcare workers. Anyone interested in the boundaries of this might like to ask their system administrator to run an audit on your own health record. You might be suprised how many of your colleagues have accessed your record. I was...

Might not have be accidental

russell.mcdonell@humenet.com.au

10 Jun 05 11:06

Pin registration and Pin maintenance ["I forgot my PIN"] is one of the biggest, least recognised, overheads in any IT departments. And it's always underresourced. Perhaps this was a case of IT demonstrating exactly what it was resourced to do, in order to demonstate exactly how under resourced it really is. ["If you wanted them to all have separate Pins, then you should have given me that staff I need to look after thousand of 'lost PINs'"]

RE: Might not have be accidental

11 Jun 05 10:06

If that were the case then it surely illustrates why the IT department are the last people to be responsible for such tasks.

Confidentiality is not something your average IT department takes seriously...how many systems allow IT admin/system access to record data...and how many leaks occur because of that.

Card and PIN - from an IT perspective

13 Jun 05 13:06

Whilst not wanting to condone the behaviour of another trust's IT Department in issuing cards not only with identical PINs but actually having that number stuck on the back (surely redundant if all cards had identical PINs) I feel that some of the comments lack balance.

Let's be honest about security - how many staff members within a GP practice regularly use a computer on which somebody else is logged on to? (This applies to all regular staff as well as locums). Its quite a few isn't it? This make all the current auditing on your clinical systems inaccurate - which is fine until something like a legal challenge has the audit trail produced and inaccurate data was entered by a user who was not even at the practice that day and can prove it. This should not be happening now but does due to lax enforcement of existing IT security policies within General Practice. Hopefully, in future, people will logon using only their own cards as they will be legally responsible for any data entries made against their login.

Has anyone commenting ever tried to set up several hundred users with passwords or PIN numbers? - it is not easy, especially as users struggle to suggest a password when asked and opt for one they already use elsewhere! Users at my PCT will have unique PINS (if any are repeated they will be at different sites) but provided for them as happens with the bank system. The majority of RA01 forms for GPs that have been processed at my Trust have shown that the majority of GPs do not know their own NHS Practitioner's code (e.g. G1234567) so asking them to come up with a four digit PIN they can remember hardly inspires me with confidence.

Confidentiality is something that my IT Department takes very seriously - we completed the Information Governance return on behalf of our Trust and lazy comments that "confidentiality is not something your avarage IT department takes seriously" are a bit rich given the number of confidential patient records or letters or test results I have come across lying around in GP sites, or left on display screens or still stored on PC hard drives that GP sites claimed to have been wiped.

Apologies if this reads like a bit of a rant but I felt some of the generalised comments made above about IT Departments were at best unfair and at worst completely ill-informed.

What are we paid for

13 Jun 05 14:06

Surely we are paid to get it right not to take the easy way out that is why we exist. If we as IT departments are constantly ignoring or avoiding good practice I think the general public and our customers should have very serious lack of confidence in our abilities. Effectively those persons ignoring regulations and good practice ar not doing their jobs and sould be disciplined or sacked. If there is a resource issue slap dash methodology is NOT a way to resolve it, make the people on the project slow down and expand the timescale or give you more staff get the managers to do their jobs instead of risking security and patient information to please others.

practice security

s-hancock@audit-commission.gov.uk

23 Jun 05 16:06

As an IT auditor I once ran some IT security awareness sessions for GP practices (in Essex as it happens). Practice staff were keen to learn but starting from a very low state of awareness (back-ups, what back-ups?) . So, although Chip and PIN provides good security I wouldn't bet on it being used properly. As regards IT staff, my general experience is that they do take security seriously but PCTs generally are hugely under-resourced for IT and certainly wouldn't usually have anyone specialising in security. Not that that can excuse what happened here which hardly required expertise.

Don't shoot the messenger

russell.mcdonell@humenet.com.au

07 Jul 05 09:07

It's not a question of whether IT should, or shouldn't be made responsible for security. It may not matter who it is. Health has a terrible history of allocating responsiblity without providing the necessary infrastructure, support or authority, for people to act responsibly. If IT was told to "get those cards out today" and they had no authority to say "NO", then don't blame the messenger. It doesn't matter how many times you say "but..". If you don't have the authority to say "NO", then it doesn't really matter. I've seen supply managers castigated for bad contract that they didn't even sign, or which the authorized on the advice of medical staff, but were given no time to review the alternatives. We have unit managers responsible for budgets, but we give them no way of controlling throughput. We have people responsible for quality, with no authority to implement their recommendations. We've got members of the executive purchasing the PDA of their choice, and demanding that IT make it work and teach them how to use it, even though it's something that nobody in IT has ever seen. At every level, in every deparment, we have people for whom acting responsibly is not a option. So is IT the worst - the most stressed, the most under resourced? No, nursing is and always has been. But IT has historically been under resourced and the current climate won't be helping the stress levels. But taking work away from IT and giving it to people who are IT savy, or giving it to consultants who are IT savy, but know nothing about the business of health, isn't the solution either. For this to work we need to double, or tripple the number of people with 15 years or more of Health IT experience, working at the coal face. Good luck. Every health system around the world is in the same boat.