Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
United Kingdom Medicine Security

The UK Health System Tries Spending Millions To Reduce The Time Spent Logging In To Things (theguardian.com) 118

The UK's National Health System is getting £40m (about $52.3 million) to try reducing login times on its IT systems, "a move the government says could free up thousands of staffing hours a day as the saved seconds add up," according to the Guardian.

They note estimates that switching to a "single sign-on" system reduced login times from 105 seconds to just 10 at one hospital, ultimately saving them 130 staffing hours a day.

TheNinjaCoder shared their report: In a typical hospital, staff need to log in to as many as 15 systems when tending to a patient. As well as taking up time, the proliferation of logins requires staff either to remember multiple complex passwords or, more likely, compromise security by reusing the same one on every system. The health secretary, Matt Hancock, said: "It is frankly ridiculous how much time our doctors and nurses waste logging on to multiple systems. As I visit hospitals and GP practices around the country, I've lost count of the amount of times staff complain about this. It's no good in the 21st century having 20th-century technology at work.

"This investment is committed to driving forward the most basic frontline technology upgrades, so treatment can be delivered more effectively and we can keep pace with the growing demand on the NHS."

This discussion has been archived. No new comments can be posted.

The UK Health System Tries Spending Millions To Reduce The Time Spent Logging In To Things

Comments Filter:
  • by Errol backfiring ( 1280012 ) on Monday January 06, 2020 @06:46AM (#59591534) Journal
    Single sign-on is just a misspelling of "Single point of failure". But this seems to be a rather expensive one.
    • We went from the generic MFA (answering questions) to having a phone call made to accept as login. Since I have my issued cell phone called, that means if someone steals my phone while it's active and wants to look at my email, contacts, etc, for information, all they have to do is accept the call and hit the pound key. There is no other verification.

      • by DarkOx ( 621550 )

        generic MFA (answering questions)

        That is NOT MFA that is two forms of the primary password authentication method with likely much weaker secrets. Its two instances of something you know.

        Factors in MFA should represent separate categories of:
        1) Something you know
        2) Something your are (bio metrics)
        3) Something you have
        4) (differing opinions on this one because its often possible to circumvent network tap to cellular etc) somewhere you are - IE you are at a physical console inside a physically secured facility.

        accept the call and hit the pound key

        That really should NOT be an i

        • systems for doctors needs to be easy and not to much BS.
          Put to much BS in then they can just use there I'M an doctor god like power to get it changed.

        • Unless I am misunderstanding your post

          To an extent you are, but that is probably because I was trying to be brief. What I mean is, I have my issued iPhone. If I want to open the Outlook software, I am told I have to sign into my O365 account. To do that the MS MFA calls a phone number. In this case the phone itself. I answer and hit the pound key to get access to my emails.

          If I happen to be on my phone and someone steals my phone out of my hand, to get access to all my documents all they have to do is

          • by DarkOx ( 621550 )

            Oh ok - you are reading your mail on the phone itself. That is the part I missed.

            Ordinarily they'd need either your password or 0365 session secret (1) factor + the ability to answer your phone (2) second factor. yes if they steal you phone out of your hand while its unlocked yes they get access. Same thing if someone runs by and grabs your laptop off the table at Starbucks after you have already logged in. At least for a short time they have access.

            This true but its also not really the risk MFA is trying

        • No, it's two-factor auth as interpreted by 90% of organisations who are required to implement 2FA: Something you know, and something else you know. Two factors, checkbox completed.

          Seriously, that's what 90% of 2FA use seems to be.

      • Well yes, but then it's up to you to NOT try and log in to the system if you know your phone is stolen, then the two-factor authentication call to you phone never happens.

        • Unless you mean they have sensitive work information on your personal phone, in which case, yes that is a bad design.

    • UK/UK rationale:
      reusing a password for multiple sites compromises security.

      using a single login for all sites must obviously increase security significantly.

      • Yes, because it is much easier to change that password regularly if you have SSO
      • People are notorious password recyclers so multiple systems aren’t really that secure. It’s exactly why a lot of times you can trace break-ins to one account back to a completely different and unrelated service being compromised. If those two services aren’t aware of each other or lack the ability to easily communicate then it reduces security on the whole.
    • by Bert64 ( 520050 )

      Also...

      "compromise security by reusing the same one on every system"

      This is exactly what "single sign on" is, a single password that works on every system.

      • No, SSO lets you sign in /once/ and then continue working without using a password.

        So not:
        1) log in to the OS
        2) log in to multiple applications

        But:
        1) log in to the OS
        2) done.

        Logging in to the OS can potentially be done with a key card, which they already carry. Suplement the key card with a simple PIN and a good "keycard is lost" procedure and you're reasonably secure.

        • because
          1) breach the os
          2) breach multiple applications one by one.

          is way less desirable than

          1) breach the OS
          2) done.

          Yes?

          • by jabuzz ( 182671 )

            At this point in time all the logging into the different systems in a hospital will almost certainly be using the same account and password authenticating from the same group of servers and almost certainly it's all Active Directory based.

            However rather than using the Kerberos ticket you get when you logged onto your workstation to log onto the various systems it is demanding you retype in your username and password again.

            It's the same at my workplace (a UK University), everything is AD based, but very litt

        • by Bert64 ( 520050 )

          I know how SSO works...
          The authentication is effectively the same everywhere (ie the same password), you just don't need to enter it again because your OS remembers it and does it for you. In a typical scenario, if you're using a workstation which is not joined to the domain then you still have to log in to every application individually (using the same username and password for each).

          Logging into an individual standalone application can potentially be done with a card, or biometric, or mfa etc too...

          On a W

    • It's also gonna be a lot more expensive than it would have been because the government seems hell-bent on stopping private contractors being a thing. Instead, they'll hire the Capitas, Accentures and others at £1000/day for a junior flunkie.

      I wouldn't be surprised if after £40m they end up with 30 different logons instead of 15.

      https://stoptheoffpayrolltax.c... [stoptheoff...ltax.co.uk]

      • by jbengt ( 874751 )

        . . . the government seems hell-bent on stopping private contractors being a thing. Instead, they'll hire the Capitas, Accentures and others at £1000/day for a junior flunkie.

        You're contradicting yourself. Or would you not call the big contracting companies private contractors?

        • Not really, as most of them are public companies ;-)

        • by Cederic ( 9623 )

          No.

          In the UK a contractor in IT is someone that works on a fixed term contract with minimal to no employment rights.

          A company with multiple staff may be a software house, a consultancy, a large consultancy or a festering shithole sucking life from all around it, but for some reason the Government like giving Capita work anyway.

      • £1000 a day, lol. If only it was that cheap.

        (I was rented out by Capita at £6k a day)

        the problem is one of those private contractors, £40m to implement single sign on... The gov should simply mandate it for the systems they have bought and demand the companies ge it done as part of whatever maintenance contracts they put in place. But they probably didn't do that in the first place, and all maintenance is charged at extortionate rates too.

        Deliberately so perhaps, those no

    • It does not have to be a single point of failure. We use a SAML 2 IdP with redundant endpoints and redundant back-end databases. Our users love it.

    • Single sign-on is just a misspelling of "Single point of failure".

      That's an interesting assessment. Every SSO system I have *ever* used had graceful fallback to a normal sign-on process. And for better or worse that fallback got "tested" a lot!

    • by Shotgun ( 30919 )

      The single point of failure has always been the nut holding the keyboard.

  • Hell, yes (Score:5, Insightful)

    by Anonymous Coward on Monday January 06, 2020 @06:47AM (#59591540)

    I work at a big hospital. I can't count the number of times I have to type my password, despite the fact that I'm not in a patient-facing part of the enterprise and I almost never leave my desk. It's ridiculous. I complained to the SVP overseeing my part of the hospital and he laughed as if it was a joke.

    Each day, I. AM. AT. MY. DESK. Why does every single system need to log me out after 15 minutes of inactivity on that system and why aren't they sensitive to activity on other systems? It means that essentially for everything that I do, I have to log in, again, and again, and again. I probably spend an accumulated 20 minutes going through login procedures each day. We, thankfully, have a single login ID that covers most (MOST) systems, but there is no communication between them at all. No Kerberos-like token. Why? Why? Why? These problems were solved independently at least two different times that I know about (MIT's Project Athena, CMU's Project Andrew) in the 1980s. Why do we have to keep re-inventing the wheel?

    • Re:Hell, yes (Score:5, Interesting)

      by stealth_finger ( 1809752 ) on Monday January 06, 2020 @07:34AM (#59591610)

      I work at a big hospital. I can't count the number of times I have to type my password, despite the fact that I'm not in a patient-facing part of the enterprise and I almost never leave my desk. It's ridiculous. I complained to the SVP overseeing my part of the hospital and he laughed as if it was a joke.

      Each day, I. AM. AT. MY. DESK. Why does every single system need to log me out after 15 minutes of inactivity on that system and why aren't they sensitive to activity on other systems? It means that essentially for everything that I do, I have to log in, again, and again, and again. I probably spend an accumulated 20 minutes going through login procedures each day. We, thankfully, have a single login ID that covers most (MOST) systems, but there is no communication between them at all. No Kerberos-like token. Why? Why? Why? These problems were solved independently at least two different times that I know about (MIT's Project Athena, CMU's Project Andrew) in the 1980s. Why do we have to keep re-inventing the wheel?

      Because thats how the tory gov stealth privatises the NHS. They start by letting it fester and rot then throw buckets and buckets of public cash at private companies to "fix" the problems they created. It doesn't matter if they actually do or not. Actually they prefer it if they don't because then they can throw more money at a different private company. They like to say they are putting record amounts of money in but it's all getting outsourced and practically none of it goes where it is needed most.

      • Re:Hell, yes (Score:5, Insightful)

        by nagora ( 177841 ) on Monday January 06, 2020 @07:53AM (#59591646)

        It's called "defund demoralise privatise". Wreck the system and then say that it's a burden on the taxpayer, then flog it off to the people who fund your party who are able to run it "successfully" but mysteriously still have to be paid by the taxpayers twice - once through tax and again at point of use (See: the railways).

      • by mccalli ( 323026 )
        Rubbish from start to finish. The systems are a lot older than 9 years in many cases. It's just the classic case of a big organisation growing up without co-ordination. At some point you need to stop and retool, that point will be difficult/expensive/messy, and then it's done and everyone moves on to the next pain point.
      • Re:Hell, yes (Score:5, Informative)

        by nicolaiplum ( 169077 ) on Monday January 06, 2020 @08:04AM (#59591686)

        I completely agree with you.

        Having spent a lot of time in hospitals in the UK a couple of months ago (nothing serious - mostly participating in research) I noticed exactly what you are saying. Clinicians had to login very frequently to many systems, and an SSO or single-token login would have saved them a lot of time. Importantly, it also seemed to be a distraction, and adding distractions to any complex analytical task or multi-step procedure (i.e. nearly all medical work) increases risk of mistakes.

        • I have SSO in my American hospital, except that I still have to sign all medical records in another system that requires at least two, and as many as eight, signatures with user ID and password. Password must be changed every ninety days, and you can't reuse any of the past ten. Guess whose password uses a simple iteration? And, bonus, they save money on Windows licenses by killing your VM twelve hours after your initial login, regardless of how recently you tapped in with your RFID badge. On a busy day, I
      • Yes but its not gonna save any hours. Because the staff is still wasting boatloads of time constantly checking their Facebook updates and feeds. Every time I go to a hospital or doctors office I am amazed about how much time I see the nurses and nursing staff glued to their phones instead of paying attention to the patients.

      • by Dunbal ( 464142 ) *
        Bullshit. This is a bureaucratic issue not a political one. The NHS is/was not more efficient under labor governments. Plus this is a GLOBAL issue not restricted to just the UK. Someone else summed it up - it's a combination of the following factors: Healthcare necessarily requires a high degree of confidentiality; Healthcare usually involves the movement of substantial amounts of money - from patients to providers or from insurers to providers. For those two reasons pretty much everything you are going to
        • Re:Hell, yes (Score:4, Insightful)

          by jbmartin6 ( 1232050 ) on Monday January 06, 2020 @09:11AM (#59591854)
          You're right that this issue is global and has nothing to do with UK government or politics. I worked in a US private hospital and it was the same way. We spent some time trying to implement a single sign on solution, supplemented by fingerprints. But the underlying issue is really the wide swath of technologies that end up getting used in a hospital, coupled with lack of incentives for vendors to build in integration with any sort of external authentication service like LDAP or RADIUS. So our SSO tool was basically trying to hook into every window process, recognize the login elements we defined, and enter the credentials for the user. Super kludgy.
          • by Dunbal ( 464142 ) *
            Yep, I'm a doctor and it's the same story in Costa Rica. Which is why I called GP on it.
          • fingerprints

            I don't trust my hospital IT staff with biometric data. The pay is awful, so they don't get top candidates. The IT director is power-mad and has deliberately disabled iMessage on the phones the hospital owns so they can force all communication between doctors and nurses to use either plaintext (might violate HIPAA, so pretext to fire the nurse), or an approved "secure messaging app", which they can read. Um, nah, I'm not carrying on with them, but whatever I say isn't your damned business. Cuz, y'know, HIPA

        • by Dunbal ( 464142 ) *
          Also add to all of the above that healthcare statistics will be heavily audited because governments rely on those to calculate indexes and indicators that have economic significance, such as the infant mortality rate, fertility rates, death rates, the prevalence of diseases, etc.
        • That's all so well and so good and all legit problems that are being faced. I was speaking more generally about the nhs than specifically about a single sign on system. My issue is with the outsourcing of more and more to private companies who reckon they can do the job better for the same money while still making a profit as if that is a solution. It just doesn't work. Those 3rd parties inevitably fail to provide an adequate service and make profit and either have the contact yanked or give it up. For stuf
        • Healthcare usually involves the movement of substantial amounts of money - from patients to providers or from insurers to providers.

          You obviously live in a country that doesn't have national healthcare. Money changing hands doesn't happen in UK hospitals. If you're in a country that doesn't have an NHS, e.g. from Canada* or the USA, then you have a lot of bureaucracy to deal with, not because of the hospital but because of your privatised health insurance companies.

          *Canada doesn't have an NHS, it has a limited "single payer" health insurance system within each province. It's also a 2-tier system so you need to buy private insurance to g

          • by kenh ( 9056 )

            You obviously live in a country that doesn't have national healthcare. Money changing hands doesn't happen in UK hospitals.

            Right, instead every taxpayer funds NHS constantly at levels set by politicians that want to simultaneously increase spending and reduce taxes.

            If you're in a country that doesn't have an NHS, e.g. from Canada* or the USA, then you have a lot of bureaucracy to deal with

            Right, because the NHS is nothing like a large, bloated bureaucracy - it's the very model of efficient delivery of modern healthcare.

          • by Dunbal ( 464142 ) *

            You obviously live in a country that doesn't have national healthcare. Money changing hands doesn't happen in UK hospitals..

            Oh yes it does. Just because it's transparent to YOU doesn't mean departments aren't keeping track of stuff. That aspirin isn't free, neither is that piece of gauze. Either you, your insurer or the government will have to pay for it. In the case of a social insurance hospital, it comes out of quarterly or monthly budgets for the department. Waste too much gauze and you're going to get a visit from admin. So no cash is moving around but value certainly is, and it's all being tracked. Otherwise that $10,000 v

      • Because thats how the tory gov stealth privatises the NHS. They start by letting it fester and rot then throw buckets and buckets of public cash at private companies to "fix" the problems they created. It doesn't matter if they actually do or not. Actually they prefer it if they don't because then they can throw more money at a different private company. They like to say they are putting record amounts of money in but it's all getting outsourced and practically none of it goes where it is needed most.

        I see ... as opposed to the amazing efficiency and effectiveness under Labour governments.

        And you do realize that even if one took your rant at face value, that would only be possible because it is non-private, right?

        • Because thats how the tory gov stealth privatises the NHS. They start by letting it fester and rot then throw buckets and buckets of public cash at private companies to "fix" the problems they created. It doesn't matter if they actually do or not. Actually they prefer it if they don't because then they can throw more money at a different private company. They like to say they are putting record amounts of money in but it's all getting outsourced and practically none of it goes where it is needed most.

          I see ... as opposed to the amazing efficiency and effectiveness under Labour governments.

          And you do realize that even if one took your rant at face value, that would only be possible because it is non-private, right?

          You explain to me then how the tories are pumping more and more money in and services are getting consistently worse across the board. How does a private company, do the job better for the same or less at the same time as making a profit? How does that private company resists pressure to cut costs to increase profit as is their nature? No one ever claimed labour ran it at 100% efficiency and public owned has it's own set of problems but can you look at me with a straight face and say the nhs has gotten bett

          • by shilly ( 142940 )

            I don't know why you think the Tories are pumping more money in. That's only true in nominal terms which are irrelevant. In real terms, it's been at a standstill, and accounting for medical inflation (runs faster than general inflation) and demographic changes (ever more sick gammons, largely), it's run behind for the last nine years.

            • Well, you're right but they claim to be because they put £x in last year and £x.1 in this year and johnny fucking public eats it up. My point was it doesn't really matter if they are or not though because most of it is just getting pushed right out again through outsourcing.
          • You explain to me then how the tories are pumping more and more money in and services are getting consistently worse across the board.

            It's because Britain has been getting flooded with destitute immigrants from the Middle East and Africa who go on the dole and then go to NHS for healthcare which is stressing NHS to the breaking point.

            You cannot have both open borders and a nationalized healthcare system like the NHS. This SSO plan is rearranging deck chairs on the Titanic.

            Strat

      • Because thats how the tory gov stealth privatises the NHS.

        Similar issues were experienced under the Labour government that was in power from 1997 to 2010.

        • No doubt but since the tories took over the rate of privatisation of the nhs has skyrocketed. Except they deny it's even happening at all because it's not being sold off in one chop like royal mail etc was.
      • Because thats how the tory gov stealth privatises the NHS. They start by letting it fester and rot then throw buckets and buckets of public cash at private companies to "fix" the problems they created.

        NHS sysadmins aren't making people log in so much because they're in some conspiracy with Tories to destroy their own jobs. FFS. They're doing it because sysadmins are technology bureaucrats. And they're the same everywhere. They think they have good reasons (mostly security) to make users log in so much, and SSO is a single point of failure. Security outweighs convenience now. Think HIPAA laws in the US, for example. THAT is why you have things like logons that die automatically after 15 minutes.

        • Yeah, that was more a rant at nhs in general rather than the specific logon systems they use which even I would be pushed to blame on privatisation lol
      • Because thats how the tory gov stealth privatises the NHS.

        The Tories aren't stealth privatising the NHS. They are doing it out in the open, in bulk, while lying in the faces of voters.

      • idiot. The NHS was privatised already, back in 2008 when Gordon Brown (yes, Labour!) legislated his "any willing provider" bollocks.

        and if you want to know who is running the NHS into the ground, its all those Blairite managers and CEOs who are in charge of every trust and private company "providing services" to the NHS.

        none of the money goes where its needed because of this excess of administration, and that requires even more money to be trousered by administrators to help handle the mess the administrato

        • Re:Hell, yes (Score:4, Informative)

          by Richard_at_work ( 517087 ) on Monday January 06, 2020 @07:15PM (#59593918)

          Yes, its easier to say "Tory cuts" because thats what it is - the Tories have been in charge now, essentially, for a decade and could have reversed any of Labours policies in the first year but didn't, so now they own them. And what do they do instead? Slash the budget, pressurise staff to work longer hours, reduce the workforce and reduce pay.

          Theres a reason Jeremy Hunt was so hated amongst the NHS staff when he was Health Secretary - he was the one destroying the NHS, and he was doing it as part of David Camerons and Theresa Mays plans to privatise it. You don't put someone who co-authored a book on privatising the NHS in charge of the NHS without some aspect of ulterior motive there...

          Under Jeremy Hunts management, the NHS got actively hostile to its staff, with the end result being a high suicide rate amongst junior doctors and a general exodus of staff to other countries. Add on to that the lower than inflation pay rises for the entire decade and you end up with a junior doctor being paid less for their hours worked than someone shelf stacking at a supermarket, being responsible for peoples lives, and being told that they cannot simply go home at the end of their shift if a patient is at risk - and patients are *always* at risk because thats how the NHS is being run, because then doctors can be pressured into staying well beyond their end of shift for no pay. Thats how the Tory NHS finds its extra cover.

          If you strike, you are threatened with prosecution for any patients that come to harm.

          If you whistleblow, your entire career is ruined because the body responsible for your employment insists you are not an employee (even though you sign a contract with it, and you are beholden to its disciplinary proceedings and training requirements) and therefor it has no obligation to you, but it will withdraw your training number anyway which means you cannot find any placements because hospitals wont employ a doctor without a training number.

          If you leave NHS employment for more than two years, you have to do 6 months of free junior doctor level work for the NHS before you can reenter at the level you were at when you left.

          You are required to "reflect" on "difficult cases", including cases where you think your care was less than exemplary and how you could improve that care, as part of your annual appraisal - and then those "reflections" are used against you in a court of law to prosecute you for the failings of the system.

          All of these things are what the Tories brought in, while at the same time reducing the NHS funding to levels not seen under the prior Labour government.

          So yes, it's the Tory cuts and policies which are the issue.

      • by Cederic ( 9623 )

        Facts:
        - Labour introduced PFI, effectively privatisation of the health service.
        - PFI deferred costs, which means much of the existing NHS budget is going towards paying off the profligacy of Blair and Brown
        - The NHS has a wasteful bureaucracy that's highly resistant to change
        - The demand for NHS services keeps rising and rising and rising. Some of that is an aging population, some of that is due to immigration
        - The NHS budget rises every year. Every year. Every single fucking year.

        Should the NHS be publicly

    • Why is this comment down-voted?
      • by Dunbal ( 464142 ) *
        Because slashdot. It's the hidden "I don't agree (-1)" mod option... "real men" read at -1 anyway and ignore the spam/trolls... :)
    • by Dunbal ( 464142 ) *

      Why does every single system need to log me out after 15 minutes of inactivity on that system

      Because of auditing and accountability. People can't be trusted to log out by themselves and used to leave their terminals open, where anyone else could come while you're in the bathroom or something and grab data they're not supposed to grab. In your name. The logout is there to help you, not screw you. But yeah I agree each employee having a physical dongle or card, etc would make much more sense than endless logins and passwords. Provided people don't start leaving their dongles/passwords in the machines

      • It makes sense for the PC to timeout. It does not make sense for the applications which are only accessible from those same PCs to also time out individually. There's nothing more frustrating than filling out a web form, clicking submit and finding out the stupid application timed out while you were actively using it just because you didn't trigger a page load in 10 minutes. And of course this only happens when it takes longer than the timeout to fill out the form, meaning it always happens in the situat

        • by Dunbal ( 464142 ) *
          Yeah that's kind of stupid. An inactivity timeout should only be triggered when the computer is inactive, not because you didn't submit a form to the database or something.
      • by Nkwe ( 604125 )

        Provided people don't start leaving their dongles/passwords in the machines when they go to lunch or take a shit, etc. Then we're back to square 1.

        Make the employee badge the token for SSO. Plug (or swipe) your badge into a card reader at each workstation - that plus a PIN logs you into all systems. Removal of the badge, loss of proximity, or a timeout logs you out. Put badge readers on the break rooms, bathrooms, and other doors that need regular access. If you want to take a break or use the bathroom you *have* to take your badge with you.

    • This is an issue that plagues many government systems. There's a tug of war:
      -ISOs decree stupid timeouts
      -People use easy passwords
      -ISOs decree complex password requirements
      -People start saving passwords
      -ISOs decree no password saving
      -With no workarounds left, People complain to IT en mass
      -CIO devises single sign on, which completely overrides all the above.
      -ISO pouts.

    • Reinventing the wheel is popular The axle's the trick, eh?
    • Why does every single system need to log me out after 15 minutes of inactivity on that system and why aren't they sensitive to activity on other systems?

      You have to do that because the security certifications your hospital holds require them to be in place. It's frustrating as hell, but management needs to pass their audits.

    • Each day, I. AM. AT. MY. DESK. Why does every single system need to log me out after 15 minutes of inactivity on that system and why aren't they sensitive to activity on other systems?

      Oh, so you have it easy.

      At my work they decided to roll out a password management system to encourage us to store logins there and only sign on to the computer, and sign into the password management system for everything else. That actually....sounds somewhat reasonable. But there's a catch:

      The password management system fails to log in the first try, every time. There's some bug where it barfs on whatever is sent the first time. I have no idea WTF that is all about. It also times out after 15 minutes. So a

  • Comment removed based on user account deletion
  • Encryption and Law (Score:4, Insightful)

    by MrKaos ( 858439 ) on Monday January 06, 2020 @07:51AM (#59591640) Journal

    Perhaps Mr Secretary if the government spent less time trying to ban and break encryption software, instead of standardizing it, your staff maybe able to use a public key system so they would only have to remember one pass phrase for all the systems they use.

    Just a thought old chap!

    • > ... or, more likely, compromise security by reusing the same one on every system.

      How is that not equivalent to what a single sign-on performs? Or how a password manager performs?

      Yes, SSO lets you sign on once to multiple things, without having to re-input your password.

      But both put you at a single point of failure for your entire secured ecosystem. Maybe your password manager is better written than most commercial applications that "include password security management", maybe it's a steaming pile of

      • by MrKaos ( 858439 )

        None of the points you raised have anything to do with the method I'm talking about.

        > ... or, more likely, compromise security by reusing the same one on every system.

        How is that not equivalent to what a single sign-on performs? Or how a password manager performs?

        You don't exchange a login/password you exchange a cryptographic generated session key. [ssh.com]

        But both put you at a single point of failure for your entire secured ecosystem. Maybe your password manager is better written than most commercial applic

        • by Cederic ( 9623 )

          You don't exchange a login/password you exchange a cryptographic generated session key.

          We call that SSO. It stands for 'single sign-on'. There are multiple commercial and other implementations available. It's got standards and everything.

          What we don't need to do is manage a private key, and trust me, you really don't want 2 million NHS staff trying to manage private keys.

          You validate your passphrase against your private key on a local device, usually once at the beginning of the day

          Whatever the fuck makes you think people have 'a local device'? They use multiple devices, they share those devices, they're mobile within several miles of hospital.

          It is a vastly better method than single sign on

          No, it is not. It may be a preferred option for specific use

          • by MrKaos ( 858439 )

            Whatever the fuck makes you think people have 'a local device'?

            Do you have to swear at me in all your posts? Are you that unable to contain your emotional state that you have to attempt to spread it? Go sit down with a nice cup of tea and calm yourself down.

            Do you understand that concepts are about conceptual things?

            No, it is not. It may be a preferred option for specific uses but granting SSO access to a couple of million non-IT people is absolutely not one of them.

            Well that's great, go get in contact with Mr Secretary and tell him how to sort it out with SSO as this is something the entire healthcare system with it's IT budget and everyone has missed. I'm sure they will be grateful for your input.

            • by Cederic ( 9623 )

              Do you have to swear at me in all your posts?

              No. I choose to. Do you have to be an imbecilic cunt in all your posts?

              Well that's great, go get in contact with Mr Secretary and tell him how to sort it out with SSO as this is something the entire healthcare system with it's IT budget and everyone has missed.

              Which part of a £40m budget is beyond your fucking reading comprehension? Which aspect of NHSX being established precisely to spot and implement this type of thing suggests the minister is not already aware and engaged?

              Matt Hancock isn't the brightest member of the cabinet but shit, even he's around four years ahead of you.

  • by K. S. Kyosuke ( 729550 ) on Monday January 06, 2020 @08:14AM (#59591698)

    It's no good in the 21st century having 20th-century technology at work.

    Why would you *not* want 20th century technology like Kerberos that will do this for you?

  • by kackle ( 910159 ) on Monday January 06, 2020 @08:40AM (#59591768)
    My last stay at a newer hospital showed me that the nurses (and doctors?) tapped RFID cards, hung around their necks, to each computer they'd access. (They'd also scan the bar code on my wristband with the computers' scanner.) It seemed a pretty quick process to me; I don't see how else you'd do that if you desired authentication everywhere. I always wondered what a nightmare a hospital IT department must be like.
    • Re:RFID Cards (Score:4, Insightful)

      by Nidi62 ( 1525137 ) on Monday January 06, 2020 @09:14AM (#59591862)

      My last stay at a newer hospital showed me that the nurses (and doctors?) tapped RFID cards, hung around their necks, to each computer they'd access. (They'd also scan the bar code on my wristband with the computers' scanner.) It seemed a pretty quick process to me; I don't see how else you'd do that if you desired authentication everywhere. I always wondered what a nightmare a hospital IT department must be like.

      That was my thought: all these hospitals require staff to wear badges: simply use those as your authentication token. Would also let hospital admin/IT track login locations, multiple simultaneous logins/impossible login changes such as 30 secs to a minute later between two stations that are a 5 minute walk away (to prevent possible security breaches/credential sharing), etc.

      • Cards alone aren't especially secure as they can be lost/stolen/borrowed, although they are certainly quick and easy for lower privilege systems.

        Hospital IT is certainly complicated, and identity management is more complicated than it is in corporate environments, owing to the large number of applications each staff member has to use, and the issues around confidentiality.

        As with most IT problems involving large organisations, the challenges are not especially technical, they are organisational and regulato

        • by Nidi62 ( 1525137 )

          Cards alone aren't especially secure as they can be lost/stolen/borrowed,

          They can, but they can also be tracked. Make every employee scan to get in, no piggybacking, (I've worked in facilities that do that and it's not horribly onerous, and we had to scan and enter a code to get through doors) and if a card is reported lost/stolen/etc, check logs/video to see if/when it was used to enter the building and by whom (assuming you have security cameras). Borrowing should be against policy, but if you lock it so that a card can only be logged into 1 station at a time that problem ge

        • by kackle ( 910159 )
          I agree with @Nidi62, a misplaced badge would be immediately noticed by the medical worker since they wouldn't be able to access their next resource in order to do their job. I doubt sharing badges would be an issue in a hospital because it would stand out as an anomaly, and these are important people doing important work.
    • by jbengt ( 874751 )
      At my daughter's dental school, the students and teachers use ID cards with magnetic stripes, which they have to swipe frequently to enter information.. That's only 1-factor, though. I'm pretty sure the students log in with a password at the beginning of the session, but I didn't see the supervising dentist logging in before swiping to enter his approval.
    • I've noticed at most of the pharmacies at CVS (the drugstore chain), the employees have bar code stickers on the back of their hands. They'll regularly scan their bar code as they're working.

      I assumed that this was some sort of authentication system, and it made sense as they're working at stations that already have bar code readers for tracking medications. But if the hospitals are tracking patients with bar codes, it could work there, too.

      It many ways, it could be *more* secure than RFID badges, if you'

    • by Cederic ( 9623 )

      The card provides authentication to access the device, but additional software and infrastructure would still be required to assure access to software running on the device or accessed from it.

      RFID cards are an alternative to a username and password, rather than providing SSO.

  • Kerberos SSO is 20th century technology.
  • Over the past five or six years, I have had multiple opportunities to experience hospital systems from the consumer side. Anyone working for the hospital has an RFID-equipped photo ID badge, and all terminals have an RFID reader, which logs them in and out in a second or two.

    Is there some reason that can't be implemented in the UK?

  • Check footage from UK hospitals, every other screen has a post-it with the login credentials on it.

  • SSO for businesses with a lot of apps needed for workers to function are just doing the good business thing with SSO. If your apps require SSO authentication first, they can be more secure than permitting ad hoc logins. I get this at work, where I cannot any longer log in 'directly', though. in some cases, in practice, that's semantics. But it's helpful when it works.

    Saving seconds? I think of time savings more in useful chunks. For a nurse, though, a 15 second login to merely view a chart section to see i

  • by kenh ( 9056 )

    They note estimates that switching to a "single sign-on" system reduced login times from 105 seconds to just 10 at one hospital, ultimately saving them 130 staffing hours a day.

    Until they either reduce staffing by 16.25 shifts/day (130 hr / 8 hr shifts) I call BS on their claimed savings. I'd also accept increased performance metrics (more patients seen/shift, for example).

    Once you realize that doctors and staff interview patients while logging in, you realize there really are no big savings.

    • by Cederic ( 9623 )

      From another article:

      With almost 5,000 logins per day, it saved over 130 hours of staff time a day, to focus on patient care.

      That was at one hospital. That's a fuck of a lot cheaper than training and hiring 16 new nurses, something the NHS happens to be short of.

  • > They note estimates that switching to a "single sign-on" system reduced login times from 105 seconds to just 10 at one hospital, ultimately saving them 130 staffing hours a day.

    The 95 seconds saved adopting single sign-on will be spent by employees sipping one more coffee.

If money can't buy happiness, I guess you'll just have to rent it.

Working...