NHS logins – a plea from the coalface!

password_requiredA truth universally acknowledged, probably across the whole of the NHS, is the need for an encyclopaedic memory in order to memorise multiple passwords.  Unfortunately it is rare to find integrated computer access systems in the NHS, with each application/website requiring its own username and password combination.

Inspired by this article from the Guardian, I thought I’d write down all the passwords that I have to remember to carry out my daily work.  I wonder if we’re slightly more exposed in rural practice as we have a greater need to access both primary and secondary care systems; however I’m sure that there are lots of health professionals in the same boat.

What’s my suggestion?  Well I think I have a good one: simple and straightforward.  But first, let me show you the problem.

Daily problem

Here’s a list of all the systems that I access on a daily basis.  A typical day for us could involve time during and between surgeries to carry out various administrative tasks.  Then out-of-hours and hospital work presents even more systems.

  • Windows login: the first hurdle, what’s needed to login to any work computer.
  • NHSnet email
  • EMIS: access to our main GP records system
  • Docman: where we store scanned-in letters and results
  • Electronic results: to access the hospital computer results system
  • SCI Referrals system: so I can refer my patients to see one of our hospital colleagues
  • INRStar: we use this to track patients who are on warfarin, to record or review doses
  • RisWeb: to request X-rays and other imaging
  • PACS: to view patients’ X-rays.  It’s great that we can have ‘immediate’ access to the national database, but bizarrely this follows a close-but-not-similar username/password combo as RisWeb
  • Hospital prescribing: We recently moved to electronic prescribing for our community hospital patients.  Whilst this offers certain advantages, it now takes me around 4 minutes to login each time I want to change a patient’s medication at the hospital.  This is partly due to computer/network speed, but typically I need to log in through 4 separate screens to get to the patient’s record.  By comparison, it used to take 20 seconds to change the paper record.
  • Adastra Citrix : a generic login to get into the out-of-hours platform – the first hurdle
  • Adastra: my own username/password combination to access NHS24/out-of-hours details
  • Emergency Care Summary: to see patients’ medication history, particularly useful for visitors to Arran as we can’t see their GP notes.  This one seems to expire very quickly and just when we need it at 2am to access information – this time seems a little unkind to wake up the on-call IT administrator for a password reset
  • Out-of-hours laptop: this allows us to log into our systems from home, so we can update OOH records and complete home visit records.  But it needs:
    • a third-party system lock username/password
    • a different Windows username & password, specific for the computer
    • access to the N3 virtual network: which needs a secret code and then a passcode from a separate number generator


input-incorrect-passwordThat’s 16 separate username and password combinations for a typical day’s work.  The usernames are different for each system.  Some involve my full name, some my email address, some include my practice code (but some are ####hoggd and some are hoggd##### – and one is davidha#####).  Some passwords require uppercase, some don’t, some require punctuation, others don’t accept punctuation.


And more!

The ones mentioned so far are just the daily ones.  There are yet more systems with their own requirements which we need to dip into from time to time…

  • Travax website: for working out what vaccinations a patient requires for their travel abroad
  • Toxbase: to find out if someone’s overdose is going to require specific intervention
  • University student tutors: we have students from Glasgow and Dundee, and in order to keep up to date with their requirements, and submit assessments, each university has its own website and login.  Some have more than one – with separate passwords for assessment, forum and information portals respectively.  We have a student from Kings College London coming up to see rural practice in January too, so that involves another login combination!
  • RCGP Trainee Eportfolio: trainers need to access their trainees’ eportfolios on a weekly basis.  And yup, correct, that’s another username/password combination.
  • EPortfolio (SOAR in Scotland): in order to record and reflect on CPD activity
  • Journal reading: Athens passwords have made this so much easier, although there are still those sites that require multiple logins to access articles of interest.

passcode-lockThis is in addition to all the other passwords that come with life – from your phone, personal email, booking holidays and buying from Amazon etc. to using Flickr, logging into iTunes and using online banking.  Thankfully I’ve found a great programme called Dashlane for most of those, which has made life easier.

The solution

What IT administrators seem to like is a unique identifier.  And conveniently, we all have one.  Why not just use our GMC registration number for all usernames?  Voila – sorted, at least for usernames, and this would allow a consistent audit trail which can easily be tracked back to the individual.  I’m glad that I’ve been in the same place now for the last 4 years, but when I was a trainee, a move to a new hospital involved new passwords and new systems to access with each 4 or 6 month changeover.

The passwords situation is a bit more tricky.  Unfortunately we know that the NHS has a poor track record in ensuring cross-compatibility of its IT systems, so developing an integrated single-sign-on is quite difficult.  Apparently our hospital colleagues now have OneSign, but despite asking for the last couple of years, it is yet to hit primary care.  Come on IT folks, make this happen.

Meantime, surely we can have a consistent approach to NHS passwords.  Surely they can follow the same security levels, so that they all accept and require the same number of punctuation marks, uppercase, lowercase and numbers.

Security of patient records is vitally important.  And yet, paradoxically, the need for so many passwords means that it’s increasingly necessary to write them down somewhere.  If only we had one username and password to remember, perhaps using our own system to make them slightly different (for example, add in the 3rd and 5th letter of the name of the website/service being accessed etc.).

At the relatively young age of thirty three, I think I’m fairly cognitively intact.  And yet I have problems on a weekly basis of passwords auto-expiring, or just being unable to work out which to use at 0500 in the morning with the other stressors that a sick patient can introduce.  I do wonder what life will be like when memorising multiple login details is less easy, particularly as we seem set to work until the new retirement age of 68 – or later?  Recently retired neurosurgeon Henry Marsh has offered some insight into how problems with computer logins affect super-specialist patient care…

Dr Ellie May sums up the wider issue with another coal-face perspective:

With a view to moving entirely to electronic health records, a progressive transfer of all supporting paperwork to an e-equivalent is under way. New icons invade our desktops causing our username and password combinations to multiply, again and again.

I think all this needs is a bit of sensible leadership and conversation from those ‘at the top’ of the NHS.  This is an issue.  Let’s sort it.

The last word goes to a tweeter called @kilted_medic:

… achieved the holy grail of NHS IT glory- all my passwords at work are the same!

Comments are closed.