Reflections of a CCIO

PIN codes are ubiquitous. We use them to withdraw money from ATM cash point machines and make payments with our bank cards. Our electronic devices, smart-phones and apps are protected by PIN codes.

We can also use a PIN code to access our systems at work. An NHS smart-card is similar to a ‘chip-and-PIN’ bank card; you place your card in a reader and enter your passcode. This can be configured to log you onto your computer and integrated to open your clinical applications.

The alternative is to login with a username and password. We typically use these to login to a website to do online shopping, access our online accounts etc. At work many of us have an individual login for our computers and to access each of our clinical systems.

Logging in can be slow and painful however, especially when we have to do it repeatedly. It is one of the causes cited for the increasing ‘clinical burden’ with using IT systems. Password policies also make it hard as we are advised to use ‘complex’ passwords, to change them regularly, and use different passwords in each system.

Have you ever wondered why is that is? Why sometimes we are able to use a simple a PIN code and at other times we need to enter a complex password?

This blog explains why. It also looks at how we can use this knowledge to our advantage.

Some NHS organisations have been innovative in this area – I will discuss some novel approaches that can be used. For example we have implemented a PIN code to unlock our EPR system. A number of organisations have experimented with other simpler ways to authenticate the user.

I thought I would share our reasoning here – how use of a PIN and other measures can enhance both security and usability, in line with the NHS guidance. Also why a conventional login and NHS smart-card may not be sufficient on their own.

It’s all down to how we use our EPRs. I’ll explain why. First let’s quickly review the NHS guidance on this.