
NHS gets £40M to cut login times on its IT systems - GordonS
https://www.theguardian.com/society/2020/jan/04/nhs-gets-40m-to-cut-login-times-on-its-it-systems
======
Peradine
I work in the NHS, this is the current user experience

1\. Type in user name and password onto computer

2\. Logs in to windows, normally taking ~60 seconds, unless you've got the
computer where the WiFi signal is poor (yes, WiFi on desktops!) and you get a
'no log in servers'

3\. Windows finally loads, click the icon for the software for viewing blood
test results

4\. An internet explorer window opens, then closes, then after 10 seconds the
software opens

5\. Type in your username and password, wait 10 seconds

6\. Now I want to prescribe some medications, close the first software
(computer can't cope with two things open at once), click the logo for the
prescribing software

7\. A Google Chrome window opens, slowly loads the prescribing software
website

8\. Type in username and password

9\. Navigate through the slow and unintuitive prescribing software

10\. Oh wait, I can't prescribe this particular drug without checking a blood
test result, close the prescribing software and go to step 4

11\. Some alarm goes off, so I have to lock the computer and run. Return from
dealing with the alarm, go back to step 1

~~~
pjc50
Likely causes:

1) PC is desperately under-provisioned, probably several years old and
upgraded to Windows 10

2) Too large roaming profile (easy situation to get into and hard to spot
other than "it's slow")

3) Too slow AD profile server to get the large profile from

4) Internal websites "should" use NTLM authentication if available, which
would remove the requirement to log in again, but forwarding this outside the
domain properly is remarkably hard

5) Smartcard auth can offer the dropin use case with no typing, but it's a
pain to provision and costs more

In many cases you'd be better off with an IBM 3270 terminal but with higher
resolution text and images...

In my previous job we built a Windows CE-based system that let you log in
instantly by tapping a keyfob and brought the screen you were last using up
anywhere on the site, running on fifteen-year-old hardware. It was for selling
beer.

~~~
DanBC
> probably several years old and upgraded to Windows 10

...probably still running Windows 7.

~~~
hollander
Probably 5 years old or older, maybe only 2GB of RAM, and back then already
underpowered.

------
cs02rm0
I've worked on a widely used NHS IT system and specifically looked at login
times for it.

We had an issue at one site where instead of taking 30 seconds to log in it
took over 20 minutes. Our JDBC driver was using the default fetch size and the
network latency was killing it.

As you may be able to tell, that had nothing to do with authentication - it
was a thick client that downloaded a bunch of reference data at login. I left
that role well over a decade ago but I've been back into a hospital in the
last year or so and it was still in use, in fact, I couldn't see that it had
changed at all.

Good luck to them, it's money well spent, but I doubt £40m is going to fix
much.

~~~
sumedh
> JDBC driver was using the default fetch size... it was a thick client that
> downloaded a bunch of reference data at login

not exactly sure what you mean, was the login sql query fetching more data
than needed in that case shouldn't you tweak the query?

~~~
cs02rm0
No, the data was necessary (though there are a stack of different optimisation
strategies they could have pursued with varying trade offs).

Fetch size is a standard JDBC parameter for tweaking the number of rows paged
in a database query. The Sun/Oracle default was 10 rows and the app needed to
retrieve thousands. So it would retrieve 10, process them, retrieve 10 more,
etc. Which was minimal overhead on most networks, but on a network with high
latency it meant there was perhaps a couple of seconds delay with each fetch.

------
mrweasel
Sadly the only login system I’ve seen that truly made a positive difference in
these types of organisations has been discontinued for years.

Sun had SunRay terminals with smartcards that allowed users to seemlessly move
from terminal to terminal. It was a solution that would have been
revolutionary if Microsoft had implemented it in Windows. Being Solaris only
means that only a few of us ever saw what could be done and how easy logins
and moving from terminal to terminal could be.

~~~
trollied
NHS staff (at least in my local authority) do have cards that they put into
their keyboards to login to Windows.

It's still a joke that all systems don't hang off their
AD/LDAP/jumpcloud/whatever though.

~~~
mrweasel
With the SunRays you’d login to everything, pull your card and your session
and applications would still be running on the Solaris server in basement. Put
the card back in and your session and applications would be right back to
where you were. So unless applications automatically log you out after some
time, there would be no reason to log in again.

Sure you’d still not have SSO, but you could just let everything running,
logged in, in your session on the server.

~~~
lima
That's how a modern Windows Terminal Server/Citrix/whatever infrastructure
works, smartcards and all.

~~~
mrweasel
Cool, I did not know that.

Why any organisation would choose to deploy regular desktops if this option
exists, and why wouldn’t someone like the NHS not already be using this?

~~~
DanBC
> and why wouldn’t someone like the NHS not already be using this?

We all say "The NHS", but it's made up of a bunch of different companies.

[https://www.nhsconfed.org/resources/key-statistics-on-the-
nh...](https://www.nhsconfed.org/resources/key-statistics-on-the-nhs)

    
    
        135 acute non-specialist trusts (including 84 foundation trusts)
        17 acute specialist trusts (including 16 foundation trusts)
        54 mental health trusts (including 42 foundation trusts) 
        35 community providers (11 NHS trusts, 6 foundation trusts, 17 social enterprises and 1 limited company)
        10 ambulance trusts (including 5 foundation trusts)11
        7,454 GP practices12
        853 for-profit and not-for-profit independent sector organisations, providing care to NHS patients from 7,331 locations13

------
mgkimsal
somewhat unrelated, but... had an interaction with a state agency IT dept - I
do some contract work on a project for a state agency, and we're being forced
to move all server/hosting to in-house state IT. Our team was given logins,
and on initial run through with the PM, he said "it's a little slow, but it
may just be my login". Well... mine was slow too - doing an SSH in to the
system brings up around 20-40 second pause, then asked for password, then ...
another 20-40 seconds before a shell comes up.

I did some digging - there are errors in /var/log/messages and /var/log/secure
(RHEL 7), and... most of this is caused by an initial hang while trying to
reach an ldap server which doesn't exist - it just hangs and times out.

I pointed this out to their tech people, asking for some assistance, and had
multiple back and forths where they kept saying "we're seeing you logged in".
I had to keep replying "the problem is it takes 65-70 seconds to login - this
surely can't be normal". No one ever said it was normal, but one guy wrote
privately and said, more or less, "we deal with a lot of systems, and have
standard setups. it's better to just have everyone just the standard configs
for all systems, even if they're a bit buggy, but not completely broken".

I'm not even sure if I should be surprised by this, but... it was certainly
disheartening.

------
acidburnNSA
My SO works in healthcare in the USA. Logging in to the VA takes about 3-5
minutes. To do some research stuff she often has to doublen-RDP into a special
machine that's allowed to see her anonomized datasets, inception-style. I'm a
research engineer with lots of computational skills in a different field, but
I can never help with a quick Python/scipy script because I'm not allowed to
get near the anonymized data. It's frustrating because she could be at least
10x more productive, especially on data processing side, with a better IT
situation. Most doctors don't know Python, but the ones doing research could
use it.

The login thing is just obnoxious.

~~~
blattimwind
VA systems also run on Mumps, a language/runtime that is reportedly as
pleasent as having the disease itself.

------
Traster
I love that we've gotten down to the point we're no longer even pretending
that we're going to consolidate the mess that is the NHS IT system. Much
better that we just make sure it's easy to log in to the 57 different services
than to actually rationalise the systems in the first place.

------
Spooky23
Hilarious that this is a news story with zero content.

So they are spending 40 million to consolidate AD. Translation: they are
Probably hiring a dozen consultants, buying Quest and Imprivata and moving one
department of a hospital in 4 years. They may do a demo of Azure AD to check
the AI box.

~~~
insomniacity
I think you're wrong on both counts - it's coming to multiple trusts (several
friends and family have mentioned it), and despite the timing of the article
is actually already in production or currently rolling out - I guess they
forgot to release it before now.

~~~
Spooky23
If that’s the case, I bet it’s the implementation phase of a bigger project.
That scope is too big for that amount of money in a government healthcare
setting.

------
stupeo
About time this problem has specific funding.

With all the disparate systems an NHS member of staff needs to use, they
really need a robust SSO and Context Management solution. Even with a wall-to-
wall EPR like EPIC there are some huge gaps that other systems need to plug,
hence multiple logins and extended waits before a user is productive.

~~~
Scoundreller
EPIc does allow building out a tab or button for external apps/webpages that
handles login?

Except apps that have nothing to do with patients... eg HR.

------
arpinum
I’ve looked at nhs login [1] as a developer. The process is a mess of filling
out forms, waiting months for reviews (the service is being rationed like many
things in the nhs), answering questions about political imperatives and
executive sponsorship, requests for more reviews and paperwork, etc. it’s no
wonder their previous attempts at this have failed, it’s simply easier to meet
budgets and deadlines (read: funding cycles) by rolling your own auth.

If this next one is going to work, they need to consider the developer
experience as well as the end users.

[1] [https://digital.nhs.uk/services/nhs-login/nhs-login-for-
part...](https://digital.nhs.uk/services/nhs-login/nhs-login-for-partners-and-
developers/nhs-login-integration-toolkit)

------
at_a_remove
I have tried to investigate a similar (if much smaller in scale) problem at
one job. Our logins were just taking entirely too long. Granted, we had a
notoriously "it's on your end" unhelpful parent IT department to work with,
but I found just trying to understand the list of steps that go in on the
background for a single login to finish on Windows to be something of an
occult science. Finding the tools to just measure the different times each
step takes was almost impossible; I had hints for a few steps there, a
suggestion for one step over _here_ , and so on, but nothing complete.

Even an empty profile on a relatively new computer, recently wiped computer
was painful.

------
blfr
I loathe every login screen except for Google's. Why is it that only one
company in the world (and sshd but there's no login screen when set up
properly) can get it right? Is it really a piece of software that requires
hundreds of millions of dollars to get right?

And people who try to fix it so often make things worse. I was very excited
about notion.so until I learned I will have to keep clicking magic links for
eternity. (Yeah, I know, they support logging in via Google which reinforces
my point.)

~~~
dijit
Odd. I dislike Google’s very much. Although I use Google’s with many accounts
(personal/work/partner) sometimes URLs will just assume my identity is “logged
in account index 0” and give me a permission denied, or pass me to a page
which has no way of changing the active account. I found that most urls can
have “u/1/“ pretty much anywhere to change accounts but if they have rewritten
the url before I see the permission denied or black-hole then it’s useless.

There’s also the fact that google recently forced Javascript and specific
browsers to be used in order to be able to login. So I was locked out of my
account for a while until someone discovered that the “rules” are a little
more lax for Firefox useragents.

To add to this: I’m certainly no Microsoft fanboy but the best login I have
experienced (in my life I think) is AzureAD with SAML. It seems to use
Kerberos silently in the background to do saml handshaking. It’s truly
seamless and very fast.

Even if I’m logged in to outlook from office365 (from a non-enrolled computer)
I won’t even be presented with another login screen. I’ll just be logged in
like “magic”.

~~~
lima
> _There’s also the fact that google recently forced Javascript and specific
> browsers to be used in order to be able to login. So I was locked out of my
> account for a while until someone discovered that the “rules” are a little
> more lax for Firefox useragents._

There's a ton of threat mitigation and detection of unusual activities going
on behind the scenes. This is a big reason why my company uses GSuite SSO -
it's basically impossible to achieve a similar level of security with a DIY
SSO setup. Auth is _very_ hard to get right with all corner cases considered.

JS trickery is key to detecting bots, and blocking super-outdated browsers
like Konqueror that basically lack all modern security mitigations is a
reasonable thing to do (and probably allows them to remove less strict
fallbacks for those browsers that were previously abused by bad actors).

~~~
SahAssar
> blocking super-outdated browsers like Konqueror that basically lack all
> modern security mitigations is a reasonable thing to do

Except they still allow browsers far more insecure, like IE. And they could do
feature detection to see if the security features are implemented or not.

Blocking user-agents does nothing good for anyone.

~~~
lima
IE has a much larger market share, so they probably spend a lot of extra time
on IE special cases.

~~~
SahAssar
That means it doesn't have anything to do with security.

------
notlukesky
I work for a system integrator that also offers Identity and Access Management
systems. Some of our offerings have both modern directory services and SSO and
multi-factor authentication solutions with access control policies like
SAASPASS. Don’t understand how this deployment would cost 40 million pounds
even with IAM consulting and training.

It would be good to see the actual breakdown of the spending as it probably
includes other spending as well. If not, then it is questionable spending.

~~~
cstross
I suspect you don't grasp the sheer size of the NHS. 2.15 _million_ staff (of
whom, 1.4M doctors, nurses, and medical specialists), _at least_ 350 hospitals
(depending on definitions) ... in terms of employment, this is the fifth
largest employer in the world. This isn't about a single, universal,
organization-wide SSO system: there are a bunch of systems, and it's a given
that many of them are obsolescent, underpowered, legacy systems including
exotic or proprietary kit.

Think of it in terms of SSO for an organization the size of the entire US
Armed Forces and you'll begin to grasp the scale of the problem.

~~~
rkeene2
I think you VASTLY underestimate the size of US Armed Forces in terms of
what's required for authentication, authorization, and access control.

US DOD has well over 4 million Active Duty, Civilian Employees, Contractors,
etc. Though numbers are hard to pin down, since the number of contractors is
in many cases not what is being paid for by the contract (e.g. firm-fixed
price, and service based contracts like IDIQ which the contract holder
dedicates cleared staff, but otherwise it's hard to know; compared to time-
and-material/"butts-in-seats" where numbers are know by the Government per
contract).

The US DOD attempted to move everything to MS AD at one point but hit a
limitation in the number of objects AD let's you create (~2bn).

------
MrDrDr
A startup in this space to watch:
[http://iamrecognised.com/](http://iamrecognised.com/)

~~~
scrollaway
Yes, always nice to see security consultants run http-only websites.

If they don't show they have the basic know-how on how to set up a ssl cert, I
don't want them touching auth.

