As a doctor in the NHS, we have to use official Nhs.net email accounts – as in firstname.lastname@example.org. Unfortunately, the NHS has caught on the the fact that email accounts allow a level of anonymity that could cause opportunity for abuse. So they have increased the security.
Here are some examples of how it’s an ugly mess, totally inconsiderate of users:
- Your password must contain uppercase and lowercase letters, and numbers, and be more than 8 digits. This makes it extra fun trying to remember your password.
- The first three digits must be typed on an on screen keyboard with a mouse, then the rest by physical keyboard (see picture). This makes it inaccessible for phones, or those who are visually impaired. The latter is, of course, illegal.
- The password must be changed every month. And you can’t repeat passwords until you have used 4 others.
- There are no contact details online, no “forgot your password?” links, and no contact numbers.
- In fact, it’s surprisingly hard to find who to contact at all. It took me 6 calls to get through to the right department (you need to call 01422 222600), and then I was put on hold for 20 minutes with a song that suddenly cut, and restarted, every 30 seconds! As you can imagine, that was very annoying.
- When I finally got my password changed, I was told I needed to be on an NHS computer to log in for the first time. I work at a hospital 16 miles away. Is this a good use of my time and money?!
In a health service that is striving to be evidence led, surely we should apply this to wasting employee’s time as well? There is a reasonable amount of argument that the trade off that increased computer security entails is not cost effective, that password content is often irrelevant, and that changing passwords frequently has little security value. Some security experts even recommend writing down passwords – but this clearly harms security; I know someone who accessed the Hallamshire computers for two years, using a user and password account they read on a wall!
What’s more, we were told that we must use the NHS accounts over personal email accounts for the reason that “sometimes it can be difficult to get hold of people if they change them“.
Since I have not been able to access my email, and will not until I go to work, I think that’s a pretty shoddy reason.
Since if I have an issue with my password, I will never be able to access my account from home without first visiting the hospital, I would even say that it is quite a bad reason.
Since there is a compulsory need to frequently change my password, the stringent conditions for each password mean there is a a high likelihood that I will frequently forget my password and need to have it reset. The fact that this dramatically increases the risk that I will not have access to my NHS email account on frequent and inconvenient occasions, thus being impossible to get hold of, means that I would go as far as saying that the above is a terrible, irrational reason. If we aren’t going to pay for homeopathy, we need to stop wasting everyone’s time with misguided, discriminatory, out of date security nonsense.
Eventually I rang the hospital directly to obtain my rota. They emailed it to my personal email account.
3 thoughts on “Evidence vs Email”
This isn’t a Facebook note so my instinct to “Like” is misguided. Still:
I suppose this is what happens in a large organisation of hundreds of thousands of people. All your arguments are no doubt reasonable but unlikely that anyone will listen. I am so grateful that I work in an organisation of three where we make up the rules ourselves.
All password complexity tests and the drag of changing personal passwords every month when there is usually a generic login hanging on a wall CAN BE circumvented. I’ve always had “difficult to guess” passwords, but it’s not easy to figure them out if you need to change them all the time.
Imagine my surprise when a colleague pointed out the obvious: August2010… Next month will be September2010…