A recent Ars Technica article reminded me of the substantial effort we put into designing the identification and authorisation mechanism in our EPR project. Just about every computer system in the NHS uses username/password combinations for identification at the beginning of each session, and we experience all the same problems which are described in the Ars Technica article. Not only are usernames/passwords a problem from a confidentiality/safety point of view, but it also creates a phenomenal amount of work for the IT support team. As we heard at the BCSHS conference, NHS Tayside are working with Sun on a single-sign-on project – which will come as a great relief to our beleaguered IT staff. But a SSO process only really helps the back-room staff, who have their own computer and are logged in all day. It doesn’t help the staff, say, on an acute ward who are sharing one computer between many staff.

The biggest problem for ward staff is the amount of time it takes to switch identity on the computer. It’s all very well setting a computer policy saying “everyone must sign-in to each computer system using their own username”, but that’s no use at all in a busy ward environment where the cost (in terms of time) of switching from one username to another is so high that people just don’t do it. User accounts end up being shared between many staff, with the account details often stuck to the front of the computer or written in a desk diary. We considered using some kind of identification card, like they use on tills in shops, but in practice this sort of system gets abused in the same sort of way: one card ends up getting stuck to the computer so that it’s always signed in.

So we took the approach of only requiring identification/authorisation when data is changed. All ward staff share the same session in the software, but when they click Save (or whatever) they are asked to identify themselves. Identification is via biometrics (a fingerprint scanner embedded in the mouse) or username/password (using their Active Directory account). If the fingerprint option is used, the software works out who the user is. (In both cases, authorisation for the chosen action is granted or not depending on that user’s rights.) So identification is “just in time” – staff do not have to sign in and out all the time.  Accounts do not get shared between staff. As a result, the accuracy of our audit information tends to be very high.

The trade-off is that we do not audit *viewing* of data by *user* (although we do record the IP address of the computer being used to view stuff). We decided that it was more important to know who authored data than to know who looked at it. And our design is no worse in this regard than most others, given that the tendency to share accounts undermines the audit quality. It’s also still somewhat better than a paper record, where there is no viewing audit at all.

The key point here is that we recognised what is actually going on in wards, rather than assuming some sort of ideal where all staff have time to follow security policy. That means compromising on the auditing design, but the overall result is better for everyone – patients (better audit quality), ward staff (saves time) and sysadmins (no more shared accounts).