The latest government data disaster has been announced by medical magazine Pulse and the BBC today, reporting the loss of 4,147 NHS computer “smartcards”.

The smartcards are used by NHS staff to access electronic programmes and applications delivered by Connecting for Health, including care records and prescription services.

The Pulse report states, “After requests to hundreds of NHS bodies under the Freedom of Information Act, Connecting for Health revealed 4,147 smartcards had been reported missing – 1,240 last year alone.”

“At least 142 have been stolen, including 17 in one area – Hammersmith and Fulham PCT. Smartcards have now been issued to 438,314 NHS staff, although the number of users is eventually expected to top 1.2 million.”

The NHS argues NHS smartcards cannot be used without a unique six character password, and that as soon as a smartcard is lost, it is disabled.

Paul Malcolm, UK general manager of identity and access management vendor Sentillion, echoed this argument, claiming that "either of these
authentication factors is useless without the other corresponding
factor".

"Smart cards give health workers access to the centralised database of
patient records, and while this does seem to create a security concern,
it is important to keep perspective and remember that this system has
been introduced to give patients a greater quality of care," he added.

But Pulse argues its investigation had shown “an alarming lack of attention to security” and said in nearly every case, “lost or stolen smartcards were reissued automatically without investigation, and no disciplinary action has been taken against any staff member.”

In the same way the ID card agenda was widely debated after the HMRC discs went missing, this news puts the government planned NHS-wide computer system under further scrutiny. The system will allow medical records to be shared across the country.

Mike Small, CA security strategy director, commented on the loss, arguing for more effective identity management.

“Adopting strong authentication is not sufficient unless there are also strong processes around the management of an ID lifecycle. By this I mean organisations need to ensure a rigorous registration and de-registration process as well as regular audits around employees’ identity and access rights. Given that the NHS can’t account for over 4,000 access cards, it suggests that this process could be improved.”

Small also said that the worrying thing is that best practice processes are laid out in Government guidelines. “Perhaps there is a call for a combination of incentives and penalties to be implemented to make sure these best practices are actually followed,” he added.

An NHS spokesman said “Contrary to some media reports smartcard loss or theft is less than 1 per cent nationally and we have no evidence that any security breaches have ever arisen from lost or stolen cards.”

“All records are subject to an audit trail which gives detailed information on who accessed any record and through what process,” he added.