When sending personal information to NHS patients, a PDF document is sent by email, and a separate four-digit code is typically sent by SMS. Many NHS patients complain that these documents are too difficult to access.
So, why does the NHS place this barrier in front of patients?
This comes from NHS England's Confidentiality Policy. Page 10 states the following:
"When e-mailing to addresses other than the secure domains described above the information must be sent as an encrypted attachment with a strong password communicated through a different channel or agreed in advance."
In plain terms, NHS England forbids any of their employees to email sensitive data without first encrypting it.
This principle comes from a good place - but as with many parts of the NHS, it has been very poorly thought out and implemented.
Note the requirement for a "strong password". The password is typically a four-digit pin, which is an extremely weak password, which could be cracked in a matter of minutes at the most depending on the performance of common PDF libraries.
Even putting aside the fact that many programmers could automate this procedure - consider that a regular person sitting at a computer could simply attempt passwords 1000 to 9999; or that this could be out-sourced to cheap labour in a third world country.
The system therefore protects only against someone inadvertently reading the document, which is pretty much already prevented by emailing it, rather than sending through insecure physical post. So why add extra security? The only reason to do so, is if the security is actually meaningful. To prevent an easy brute-force attack against the password, it needs to be longer. However, even with a longer password, we come onto the next issue - the password is re-used.
Each time an NHS patient receives an email with an encrypted attachment, it seems to always use the same password. This means that, in the case where a patient is being targeted and requires the added security, an attacker can simply crack the password once and then access every single document.
Worse still, we have received evidence that PDF encryption is carried out manually - which leaves the process prone to human error, and cases where NHS employees forget to encrypt sensitive data, which is a breach of their own policy.
If the NHS had thought through this logically, they would have had someone automate the encryption of all PDFs prior to sending them, such that there is no room for mistakes.
Sadly, the NHS is not what it once was, and most logic has left them behind.
Conclusion
If you are struggling to access password-protected PDFs from the NHS, the cause of this is NHS England's Confidentiality Policy. The policy is also of very little use, due to permitting weak four-digit PINs and password re-use. It therefore ends up inconveniencing the patient for no practical benefit.