Healthcare security: Write login details on whiteboard, hope for the best
- Reference: 1771499654
- News link: https://www.theregister.co.uk/2026/02/19/human_whiteboard_bork/
- Source link:
This example is a whiteboard seen by an eagle-eyed Register reader in their local medical center. Our reader asked to remain anonymous for obvious reasons, but we can only wish that the same anonymity had been extended to the systems running behind the scenes.
[1]
Whiteboard showing confidential information (obscured)
We've excised the text, but suffice it to say that the whiteboard contains usernames and passwords for system access. It's a change from a Post-it note stuck to the screen, but it's no less likely to make a security professional shriek in horror. After all, not only is the account exposed, but anyone can use it, which renders an access log somewhat redundant.
The whiteboard has been on show at the UK medical center for a while now. Our reader told us: "A few months ago, I explained to a lady on the front desk that displaying this information was a bad idea. Clearly, they don't believe me."
The National Health Service has guidelines regarding passwords. The rules [2]include "not using a single word... think random... think multiple (3 random passwords technique)" and "not using or containing a common password."
[3]
To be fair to the medical center concerned, those rules do not include "for goodness sake, don't put the username and password on a whiteboard for everyone to see."
[4]
Thankfully, passwords are on their way out. [5]According to the UK's National Cyber Security Centre (NCSC), passkeys "solve the main security problems we have with passwords."
The NCSC states they "are generated securely and so can't be guessed... can't be phished," and "are unique for each website you use, so if one website is compromised it doesn't put your other logins at risk."
[6]
They are also unlikely to be found written on a whiteboard.
Passkeys are not a perfect solution to password problems. However, almost anything would be an improvement on this public display of private credentials. ®
Get our [7]Tech Resources
[1] https://regmedia.co.uk/2026/02/11/bork2.jpg
[2] https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/data-security-and-protection-toolkit-assessment-guides/guide-9---it-protection/password-strength-remote-locations-and-managed-estates
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZdBsBdzBnmiQlgA9oKSnQAAAcE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZdBsBdzBnmiQlgA9oKSnQAAAcE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZdBsBdzBnmiQlgA9oKSnQAAAcE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://whitepapers.theregister.com/
Not just medical centres, but I've seen it on a hospital ward as well. When I pointed out that I just walk behind the nurses station and log into their systems using the information on show, I was met with a shrug from the two Nurses. I spoke to one of the Board Members who I know and she said that it was one of the things that she was trying to eradicate, but that maglement were objecting, as it meant that staff would have to log in the ever rotating locums all the time.
At least my Pharmacist wife has to use a Smart Card to get into her medial laptop.
The Oddest Thing
is that you just know that they have never had problem with their systems and probably never would have.
The fool and the simpleminded appear to be cloaked in a protective field which the rest of us don't enjoy.
I suppose too, the visitors to a NHS clinic are so pre·occupied with their own concerns that they wouldn't notice the whiteboard and if they did there would be no incentive for them to screw up further an already adequately fucked up NHS.
A lot of practices in these parts appear to use the same security card on a lanyard tech as banks use for their teller's terminals. A couple of minutes of inactivity the card has to be swiped again to unlock the terminal and applications. Passwords alone then might not be very useful without the corresponding card etc.
Re: The Oddest Thing
"I suppose too, the visitors to a NHS clinic are so pre·occupied with their own concerns that they wouldn't notice the whiteboard"
Wot? We're reading about it here. Someone did notice the whiteboard!
Re: The Oddest Thing
He's thinking of a hypothetical waiting room where you get seen immediately and don't have time to notice the surroundings... unlike the real world where you've finished reading the stack of Punches from 1963, done the crossword in the Practical Weasel Keeper, memorised the symptoms for beri-beri in pregnant buffalo and am now counting all the drawing pins on all the noticeboards...
Re: The Oddest Thing
78 pins on the notice board in my Doctor's waiting room!
Yes, I was there a long time as someone who should have gone to A&E, had gone to the Doctor's, who (a Doctor and a Nurse) then had to attend the patient while they waited for an Ambulance!
When I eventually saw a Nurse she admitted that it was a regular occurrence, as people think (incorrectly) that it avoids some of the wait in the A&E.
Re: The Oddest Thing
A lot of practices in these parts appear to use the same security card on a lanyard tech as banks use for their teller's terminals. A couple of minutes of inactivity the card has to be swiped again to unlock the terminal and applications.
Not in the NHS hospital I was in recently. The nurses would wheel round trolleys carrying integrated PCs, screens, keyboards... and smartcard readers. The system would keep them logged on as long as the smartcard was in the reader. It didn't time them out. The nurses, of course, frequently left their PCs logged in and unattended for long periods while they dealt with the needs of the patients...
No 'Medical Centers' in the UK!
'...local medical center.'
So, is it in the UK, whereupon it's a Medical Centre, or is it is the US-centric world of Medical Center? If the latter, NHS policy is not likely to be relevant...
Re: No 'Medical Centers' in the UK!
"US-centric"? Shouldn't those be "US-centirc"?
Envy of the World!
Non-UK readers, here is the resounding evidence that the UK's beloved NHS is the acclaimed "Envy of the World"!
Just look at what you're missing out on!
Conflicts of Interest
The NHS has a responsibility to provide healthcare. Access to their IT systems is required to ensure the best possible care is available when necessary. There is a conflict in providing access and tight security for the IT systems. The NHS was criticised for leaving staff logged in when absent from their terminals, but at some times of day logging on could take several minutes to half an hour, so logging out was not really an option.
Obviously displaying the account names and passwords for all, including visitors, to see is a major issue, but consider whether the system allows them to do their jobs of treating the sick and injured efficiently without some work-arounds for difficult or slow IT systems.
Countermeasure
Sneak over to the board when it's unwatched, and change all the displayed passwords.
If they've been warned and failed to act I'd be inclined to report it to the Practice Manager first and give them a chance to respond. If they don't then notify the CQC and ICO (assuming this is UK, otherwise the local equivalents). Ultimately it's your sensitive data that's at risk of being compromised.