About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Just how much is your data worth (reprise) | Main | Identity thieves »

An unhealthy interest in databases

By Dave Birch posted Feb 27 2008 at 8:42 PM
[Dave Birch] The National Health Service's vast Connecting for Health programme has within it a fascinating identity management case study. In order to ensure the security of the system -- which naturally includes sensitive medical records -- the NHS decided to issue smart cards to all staff. Unfortunately, a recent assessment found

...serious weaknesses in controls over access to patient data, with more than 4,000 NHS smartcards already missing and one in 10 trusts admitting they had no idea how many cards had been lost or stolen.

[From Pulse - The GP's website - MPs told of new patient record breaches]
Many years ago, at a meeting of the Parliamentary IT Committee (PITCOM), I asked the then head of the programme, former management consultant Richard Granger, how security would be maintained in a system with more than a million users and I was told (rather abruptly, as I recall) that I shouldn't worry about it because top security boffins had taken care of it, and that smart card would be required to access everything, and audit trail would be kept and so forth. Well,

The national rollout of the Summary Care Record is to take place this year and speaking during a debate over the committee’s inquiry into the rollout, Labour MP Keith Barron revealed examples where NHS workers breaching security controls had gone unpunished. Admitting he had previously believed the BMA to be scaremongering over the issue, he described one case in which no action was taken by a PCT after an employee gained access to identifiable patient information by persuading a district nurse to disclose her username and password.

[From Pulse - The GP's website - MPs told of new patient record breaches]
Wait a moment! What happened to the smart card that would be required to access identifiable patient information? The system started off by requiring an unrealistic level of security, millions of pounds were spent trying to build it, and then they went back to usernames and passwords? This does not bode well for other giant databases full of personal information that will be kept secure (through mechanisms as yet unknown to science) despite having hundreds of thousands of users.

I'm no luddite -- in fact I'm enthusiastic about the potential for IT to improve the delivery of services such as health care -- but I don't think that this has all been thought through properly. Which is odd, because I know (personally) a couple of the people who were involved in some of the security work on the project and they were both very, very good security guys. The problem must be institutional in some way, related to a disconnect between policy makers and system builders. Is it simply the scale of these systems? There is certainly an issue of numbers...

Under current plans eventually about 1.2m smartcards will be issued to staff across the NHS. The cards give varying levels of access to patient records, but more than 60,000 will offer GP-level access and a further 63,000 will give nurse-level access.

[From NHS smartcard losses raise security concerns - Computerworld UK - The Voice of IT Management]

But that doesn't explain why identity management and security can't be dealt with more effectively. I'm convinced it's because the mental models of identity and authentication that are used by the politicians are so outdated. As I've said before, in large scale deployments like this it's going to be difficult to make any real process so long as "the card" is seem as the fundamental and indivisible unit of identity. We need proper digital identity infrastructure to make systems on this scale manageable and a first step would be to decouple the management of the card (an "IT issue") from the management of the identities (a "business" issue).

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference An unhealthy interest in databases:


The comments to this entry are closed.