Isosec and the NHS Smartcard
Okay, firstly there will be no naming and shaming here, so if you were hoping to see organisations with poorer processes than yours, shame on you. Cybersecurity is no joke, especially when it comes to the NHS smartcard and protecting patient data.
What we are going to share are five very real examples of unsafe working practices involving NHS Smartcards.
We’ve been working with the NHS for fifteen years now and originated from an IT security background around smartcards and secure authentication. We have over 40,000 iO users (our smartcard identity agent) and as a result have seen thousands of local use-cases for the NHS smartcard, some hugely successful… some not so much.
If you’ve somehow wandered here by accident and aren’t sure what we’re talking about, NHS smartcards are similar to chip and pin cards that allow our healthcare professionals here in the UK to access the patient information that’s relevant to their role.
Here’s five ways we’ve seen organisations abuse the power of the NHS smartcard.
5 Unsafe Workaround Tactics With The NHS Smartcard
- Passcode strength – Pretty obvious one to start with, but setting a secure passcode really is important! We’ve had people volunteer that their passcode is ‘passcode’,‘1234’, even ‘doctor’. It may be quicker to type 1234 in a hurry, but it belittles the whole authentication process if you fail to keep your personal security standards high.
- Card sharing – Again, it might seem easy enough to pass your card onto a colleague when they’re in a hurry, but it’s hard to criticise cybersecurity standards of an organisation if individuals don’t adhere to explicit security processes.
- Leaving a cut card in a reader – Possibly the worst offender on this list, but sadly we have seen it in action! The explanation we were given was that Information Governance colleagues would regularly walk around and check on how things were running. In order to avoid detection of card sharing whilst still having quick shortcut access, one card was left in a reader and then cut off, so IG couldn’t see the card in the reader or even know that the behaviour was going on.
- Robot smartcards – By having a machine with a smartcard permanently in a reader which automatically logs in with a fixed passcode poses an IG risk and most trusts are completely oblivious to this. Our analytics dashboard highlights this behaviour straight away so it’s not something we see with iO.
- Single sign on passcode manager software – By using software to remember your passcode and have it key them in for you, you’re no longer using two-factor authentication, you take the security level down to just one factor, which doesn’t adhere to NHS security standards and doesn’t stop someone else jumping on your card should they pick it up.
What Can You Do About It?
Some people don’t think NHS smartcards are the best and from the list above it’s clear to see that there is some education around the issue of cybersecurity to be done generally. It’s a strong case for how sometimes poorly managed technology can hinder users rather than benefit them, but sadly there are often unsafe workaround tactics like these that harbour high risk behaviour.
However, we think when smartcards are used properly they do the job for the NHS and we’ve even developed ways to maximise the security and efficiency with them.
From our experience with IT departments in the NHS we listened to these extensive issues some Trusts have with the smartcard. From there we expanded our iO identity agent capability and iO Virtual Smartcard was created. There are a wealth of benefits to using our Virtual Smartcard product, but most importantly we built it to maximise the security around authentication whilst still addressing the user issues we have witnessed along the way.
By creating an innovative technology that meets both the practicality of everyday working practices as well as high-level security standards we hope to further the efficiency of the NHS whilst still maintaining the necessary safeguarding of patient data in the modern world.