NHS rolls out mammoth email system

From Tuesday, staff in 10 NHS trusts will have access to NHSmail, a new email and directory service being rolled out across the entire organisation to replace the 7,000 different systems currently in use. But some NHS IT experts are concerned about the system, given the sensitivity of the data the service will carry. Only half of the health service's 1.2 million-strong workforce have their own email address at the moment, and the considerable number who work in multiple locations have to maintain separate email addresses at each one. But NHSmail, which is being procured by the NHS Information Authority, should remove much of this complexity, and will be among the largest corporate email and directory services in the world on completion. The directory contains contact details for all registered NHS employees and will be updated every 24 hours. Staff using the system will also have access to telephone and online support from EDS, the supplier of NHSmail. The services giant was awarded the 10-year contract in May this year. Catherine Coe, communications manager for the project, said: "NHSmail is an important project for the NHS -- it will improve communications across the entire NHS network. As well as the many functions this important service provides, there is a high level of security ensuring all confidential information is highly protected." She said that the service enforces SSL encryption of all messages in transit between the client PC and the central mail servers and vice versa. But critics of the system remain concerned about the level of security in place -- but not from a technological point of view. Professor Ross Anderson of Cambridge University's computer laboratory was involved in the debate about networking the NHS in the mid-1990s, and is convinced the organisation has failed to act on the key point to come out of that debate. He told silicon.com: "Encryption is a red herring. The main issue is that when more people have access to data, the more it will leak. People who want to get hold of sensitive data, like private investigators, ring up staff within the NHS pretending to be someone who has the right to have that information. And far too often they'll end up having it read to them over the phone." He added: "The NHS is unable to admit that there is a problem with social engineering, which is the most common method of getting hold of sensitive data. If the question is has the NHS done enough to secure its information, the appropriate answer is 'tosh'." Coe stressed that it is only possible to complete the initial registration on the NHSmail system via the organisation's main network, NHSnet -- users of that must have a valid directory entry that has been provided by their organisation before they can register. The British Medical Association has said that it is satisfied with this level of security. The 10 trusts are gaining access to the system after trials in Birmingham and London. If this next phase is successful, NHSmail will be rolled out nationally in 2003. Established in 1999 as a special health authority, the NHS Information Authority's remit is to enable the national infrastructure for an online NHS with electronic health records, an electronic library of knowledge, and the convenient services "that people expect from a modern NHS".

---