Computer systems built for national scales are expensive – especially given the perverse incentives for previous and current government IT projects which practically guarantee that they will go over budget. However it is also important to remember that a computer system should make it easy and quick for a user to do what they need to do – it should not get in their way and slow them down – fundamentally the user’s time is paid for by the NHS (some of them at quite a high rate) and if they spend hours dealing with irrelevant trivialities of the computer systems they are using then that money is wasted.

Much nhs email goes via nhsmail. This imposes a 200MB quota for all users. That is tiny. Disk space is cheap, really cheap at the 2GB level and really it should be possible to offer 20GB per user without too much difficulty. So every user of nhsmail must periodically spend their valuable time deleting emails that are no longer vital. Occasionally they will make mistakes and delete emails that are actually important potentially directly impacting patient care. This is just silly. I am guessing the order of magnitude of the cost of fixing this (by buying more servers) is X00,000 and that this would easily pay for itself in terms of increased efficiency across the NHS within a year.

The NHS systems also have a ridiculous system of requiring users to change their passwords periodically. This is well know[0] to actually make security worse and to provide no benefit as users pick worse passwords to make them easier to remember (and to break) and then increment numbers on the end or similar (which unfortunately makes it harder to remember due to within list effects – people can’t remember which password they are on). So this is a policy that wastes staff time, makes security worse and should be fixable by someone unticking a few boxes marked ‘force users to change their passwords’ or similar. Unfortunately various incompetent IT auditing agencies always tell organisations without periodic password changing policies that they need to institute one – this is good grounds for firing the agency as they clearly have no idea what they are doing.

[0]: ‘Although change regimes are employed to reduce the impact of an undetected security breach, our findings suggest they reduce the overall password security in an organization. Users required to change their passwords frequently produce less secure password content (because they have to be more memorable) and disclose their passwords more frequently. Many of the users felt forced into these circumventing procedures, which subsequently decreased their own security motivation. Ultimately, this produces a spiraling decline in users’ password behavior (“I cannot remember my password, I have to write it down, everyone knows it’s on a post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know.”)’

This entry was posted on Thursday, January 3rd, 2013 at 10:01 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.