Preventing NHS data security slip-ups
- Published: 19 September 2008 09:00
- Author: Nick Lamidey
- More by this Author
- Last Updated: 19 September 2008 09:00
- Reader Responses
Simplifying the way users log on to computer networks can help NHS organisations increase their efficiency and improve compliance with data security requirements. Nick Lamidey explains
Ensuring data security in NHS organisations is not an easy task. Getting accurate compliance information on who logged on to which applications at what time, where and for how long is difficult. People often log on using other people's details, they do not log off, and users share PCs in busy areas.
All this presents huge security risks to NHS organisations. Applications are left open to unauthorised viewers. Passwords are shared or written on notes stuck to PCs. This makes it impossible to link the real user with the user ID that is logged on to the application - an issue that is particularly key in the health sector.
"People will always want to save time, and they can't be blamed for that"
Wasting time
So why has this situation arisen? There are two main reasons. First, the increase in the number of essential software applications. Each demands its own security, typically a user ID and password. This is simple enough when you have just one or two applications. But in hospitals, staff may need to use up to 15 applications, each with its own password. In a busy environment such as accident and emergency, should staff really be expected to log in and out of all 15 applications?
Second, there is user willingness. People will always want to save time, and they cannot be blamed for that. In an ideal world, we would all comply 100 per cent with security policies. But in practice, given the choice between doing their work or spending the next two minutes logging off and on again, most users would focus on the work. Isn't this just trying to make the best use of time?
The answer to these problems is to automate the process of logging in and out. If it is made easy and transparent, then users will comply with policies - especially if the system cannot be tampered with or bypassed, and more so if it can keep a log of user access for compliance purposes.
User friendly
This is what so-called advanced enterprise single sign-on systems do. They act as a central gatekeeper for all business applications, meaning users do not have to remember multiple passwords. Users need only one password to verify their identity. These systems can also work with smartcard or biometric systems for additional identity verification. Access is authorised according to existing security policies and enterprise directories.
This makes logging in and out easy for users. When the user signs in, they get access to all the applications they are authorised to use at once, instead of entering a password for each in turn. And the reverse happens when they log out - saving time and boosting productivity.
Winchester and Eastleigh Healthcare trust has rolled out such a system to its 2,500 users. It will simplify access to 14 key healthcare applications. The trust says that as staff only need to log on once to carry out essential daily activities, time and resources are freed up to focus on patient care. The system also provides a complete audit trail of application access across the organisation.
What's more, before the system was introduced, around 15 per cent of all IT support calls logged were password related. With this largely eliminated, the trust has been able to reduce first-line IT support by 20 per cent, enabling resources to be redeployed. Single sign-on can boost user productivity, enhance security, help to automate policy adherence, and save IT and compliance management costs. All well worth signing on for.
