Skip to main content

CQC Using Email to Verify Care Workers

The Care Quality Commission (CQC) has decided to put registration of Care Providers online to make everything faster and easier for the providers. At least that's what they said. In practice, care providers had to fill in the online forms addressing standards that won't be published for another 5 months after the registration deadline. Ignoring all the problems, ridiculous re-branding to avoid inconsistencies and money wasted, there was a serious problem/lack of understanding that has lead to this blog post.

All care providers and managers have to register online individually and have to agree to particular terms in order to be registered and, therefore, trade. I have no problem with this as these care providers are looking after vulnerable people. However, it became obvious that there are serious problems with their system. First off, it isn't possible to change the owner's name if you make a mistake (they can't change it either apparently). Therefore, if you make a mistake, you now have to lie to say that all the details are correct, otherwise you can't register and you'll be out of business - not a good start.

However, this is overshadowed by the fact that the CQC uses only email to verify care managers. First of all they sent a 6-character password to the main business email address with the URL and details of how to log in (no paper verification was done at all). Don't they realise that email is all sent in plaintext and can be read by anyone with a packet sniffer? When logged in, the care provider has to fill in some initial forms as the owner and then list the care managers that they employ. Following this, each care manager is sent a 6-character password via email in order to log in and register their care service. There are a couple of problems with this. Firstly, the email addresses are just entered during the initial form filling exercise and are not checked and secondly, you can't reuse the same email address. So if you are the manager for more than one care service you have to use two different email addresses. The stupid thing is that they accept any email address from an alias to the same mailbox through to hotmail accounts with no checking at all.

They don't seem to realise that half the email addresses people use are just aliases onto other email accounts. On one of my accounts I have 9 email addresses all delivering mail to the same mailbox as they are various options of name and domain all relating to the same company. However, CQC would treat this as 9 different people. There is no checking done to see if that really is the care manager at all. Anyone could sign up as long as they intercept the initial password. Who has access to the standard email address for the organisation? Usually several people and usually not the actual owner of the business - the only person who should receive that email. Due to the way their system works, if someone were to intercept that email (such as a disgruntled ex-employee) they could sign up with a random free email address begin the registration process, not complete it and put the care provider out of business as they won't have registered in the set time.

This is mostly a PR exercise as far as I can see and a bad one. They say that they are checking providers and improving standards. However, it is perfectly possible for the owners and managers to be completely unaware of their registration process because no actual checking is done. In addition, to assume that two email addresses entered into a website are for two different people, and base your authentication on that, shows a lack of understanding of the technology that they are forcing on people.

Edit: 13/7/10
I sent an email to the CQC about this issue and being able to hold people to it legally a while back and a few days ago I received a reply. Here is the main bulk of their reply:

"Thank you for taking the time to write to us and we would acknowledge that the
points you correctly make present some element of risk. To reassure you, and
your customer, we were previously aware of each of those points and have
considered, with our compliance and legal teams, the balance of risk that they
present and any difficulties with legal status that could result, before making
a positive decision to implement in this manner."
"To further reassure you, we commission independent penetration testing of our systems prior to go live to assure their security."
I did ask to see one of their security assessment reports, but was (unsurprisingly) turned down. I understand that they don't want everyone to know how their systems works as that could reveal further problems, but I would like to know what was actually said about this issue and how they justify it.

Comments

Popular Posts

You say it's 'Security Best Practice' - prove it!

Over the last few weeks I have had many conversations and even attended presentations where people talk about 'Security Best Practices' and how we should all follow them. However, 'Best Practice' is just another way of saying 'What everyone else does!' OK, so if everyone else does it and it's the right thing to do, you should be able to prove it. The trouble is that nobody ever measures best practice - why would you? If everyone's doing it, it must be right.

Well, I don't agree with this sentiment. Don't get me wrong, many of the so-called best practices are good for most organisations, but blindly following them without thought for your specific business could cause as many problems as you solve. I see best practice like buying an off-the-peg suit - it will fit most people acceptably well if they are a fairly 'normal' size and shape. However, it will never fit as well as a tailored suit and isn't an option for those of us who are ou…

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post.

How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't really…

Security is a mindset not a technology

I often get asked what I look for when hiring security professionals and my answer is usually that I want the right attitude first and foremost - knowledge is easy to gain and those that just collect pieces of paper should maybe think about gaining experience rather than yet more acronyms. However, it's difficult to get someone to change their mindset, so the right attitude is very important. But what is the right attitude?


Firstly, security professionals differ from developers and IT engineers in their outlook and approach, so shouldn't be lumped in with them, in my opinion. The mindset of a security professional is constantly thinking about what could go wrong (something that tends to spill over into my personal life as well, much to the annoyance of my wife). Contrast this with the mindset of a developer who is being measured on their delivery of new features. Most developers, or IT engineers, are looking at whether what they have delivered satisfies the requirements from t…