PEBUAK does absolutely occur, but then we should be asking if the users should be responsible for security, that's why IT are there. Given the systems I worked with (the ones in the north, rather than Cerner, so I can't comment on London, sorry), and given the architecture used, you remove the ability at the point of use to use things like USB keys, etc. The login/logout can be solved with technology, and sharing smart cards will be something fixable by HR policy. People need to be held to account. The problem where this breaks down is where data is taken out of the data centres, which in my experience *are* secure, it's when that data is fed to systems still hosted by the trusts, such as data warehouses, reporting systems, path labs etc. At this point we lose stewardship of the data from a central point of view, and back to the trust (a non IT organisation) taking responsiblity for it. something that is proven to be bad. So for my money is that the disaster scenario of the data centres being Haxored, and all data being released is very slim, so the central function works. But sadly to be used, the data has to be given back to the trusts, and that's where the problem comes in... PEBUAK. How do we solve that? Buggered if I know.