Slashdot Mirror
Study Finds Password Misuse In Hospitals Is 'Endemic' (securityledger.com)
chicksdaddy writes from a report via The Security Ledger: Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. That's the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are "endemic" in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments -- with the bad behavior being driven by necessity rather than malice. "In hospital after hospital and clinic after clinic, we find users write down passwords everywhere," the report reads. "Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We've observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door -- no one wanted to prevent a clinician from obtaining emergency supplies because they didn't remember the code." Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. "IT want to be good guys. They're not out to make life miserable for the clinical staff, but they often do," he said.
If you forget a password, someone may die right in front of you. You can choose to write that password down and reduce security, or you can take a chance that you'll forget what this month's 12 character combination of at least two upper case, two lower case, 2 numbers, and 2 non-alphanumeric characters is in a pressure situation and the result will be death or injury to a human in your care and, likely, a lawsuit and dismissal.
Until this is fixed, people are going to write down passwords.
Is it just my observation, or are there way too many stupid people in the world?
because people can't remember the password or code for that exact door or device? at some point you accept some lapse in security for the greater good
In a hospital, misuse would be epidemic.
Gotta get down on Friday
Click to the actual article.
Click to the link to the actual study.
Check out the properties on the PDF. It was created in 2014.
Time for a new study.
At my doctor's office they have the passwords taped to the computers.
Having been in the trenches for a number of years, it isn't just heathcare where password misuse is 'Endemic' I am not sure how paywalled this article is but this here: ~~ "Those two, competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said." ~~ I've been in their shoes, and at the next HIPAA Compliance check they are doomed with IT taking most of the blame. We can only advise them in the end to follow best practice. Anyone have an article about a doctor being fired for password misuse and not IT? Just my 2 cents.
In healthcare, "impact on patient care" trumps essentially everything else. Do you really want to be the CIO who has to explain that a patient died because providers couldn't quickly access medication or supplies?
It's a constant battle to find the right balance between security best practices, regulatory compliance, and providers revolting...
Let me remind everyone here that there are always two failure modes of a simple component, type 1 and type 2. A switch can fail open-circuit or short-circuit; a lock can fail locked or open, and a password failure can be either "will let people in who shouldn't be allowed to get in" or "won't let people in who need to get in".
You can alway take one failure rate to zero by making the other failure rate 100%. Reducing the rate of type 1 errors tends to increase the rate of type 2 errors, and vice versa.
Basically, the hospital workers are voting "there are too many errors of the type "can't get in when we need to", and we need a work-around to prevent this."
http://www.geoffreylandis.com
I worked for a multiple-doctor location, and ALL use the same password, and the doctors tell the nurses they can't change their password. The nurses have the doctor's passwords in the EMR system and prescribe things to patients and fill out the doctor's paperwork. You push for change, stating it's against HIPAA policy and will get them in trouble, they act as if you're a fool for even suggesting it. 26 doctors I answered to, and they all felt entitled to have the nurses do everything for them except talk to or cut on the patient...
It's all asinine. I have a whole new perspective of the medical industry; I find it both laughable and horrifying.
-Systems Admin
As usual, security people always think that security is the only thing that matters. And they also like to blame these 'bad practices' on the users instead of bad security policies. Patient care and ensuring good health outcome absolutely SHOULD be a higher priority considering that they are the entire point of a hospital. Biometrics or maybe smartcards are probably a far better solution for hospitals anyway, especially if the current situation requires everyone to remember a large number of passwords (written down passwords everywhere are an obvious outcome of this approach).
... that "security" is still mostly a mindfap for "tech"* and not at all even close to the needs of the users.
Then again, much of end user computing in general is this. Even "GUI" falls under this, as a matter of fact. Reasons why cruelly left as an exercise.
* Driven by a mixture of the usual tech neophily and "clever" sales and marketeering.
Security is important - that we all know. But, there must be a compromise between asset protection/control and unhindered availability. In a crisis, I wouldn't want my nurse/doctor getting the code to the drug cabinet confused with how many cc's/mg's or whatever is supposed to go into the shot that I'm about to get! Maybe biometrics would be a better alternative?
I work in an analytical simulation lab, and as a sysadmin these guys are notorious for sharing their passwords either out of an inability to understand unix file permissions or out of callous disregard. I was told when I joined that "this is just how it is" and that kind of management level complacency is what i think drove it all.
my solution was 3 fold. First, I expired everyones password. Next, departments are restricted to their specific laptops and workstations. Analytics should not be logging into design workstations, or vice versa. And finally, yubikey for anyone who needs access to finite elements or VPN, or simulator hardware that runs in a test chamber. The whole thing required serious management buy-in, which was easily the hardest part. It also required me to train users on posix permissions and how to properly collaborate in a unix-like environment, which for most newer college grads was completely foreign. greybeards in the labs were a huge help here.
Good people go to bed earlier.
Security that gets into the way of the worker to the point where it hinders him in his actual work will be circumvented without remorse. Actually, it will be done with the justification of increasing productivity. An example:
Take a security door that MUST be closed all the time for security reasons because something valuable is stored behind that door. Now take a worker that has to haul heavy items through that door. The prescribed flow of operation would be that he unlocks the door, goes through it, locks the door behind him, picks up whatever heavy item he has to haul, puts it down at the door, unlocks the door, opens the door, carries the heavy item through, puts it back down, closes the door, locks the door and then carries the heavy item to its destination.
How many times do you think he'll do this before that door is wedged open?
To him, that door is a nuisance and, worse, it is something that lowers his productivity and, in his opinion because he does not know the other implications, hurts his company. It isn't something he does for personal gain where he'd hurt his company, like checking his Facebook page on company time or watching YouTube videos, something he would at least feel guilty for, it is something he does FOR the company because it means he can work faster.
That is by some margin the worst kind of security infraction because it is done without remorse and with a good justification.
How much more likely is something in a health related area where the justification can well be saving someone's life?
This is why you have to plan your security in such a way that it does not impede the workflow of your workers more than absolutely necessary. Yes, that means you have to actually do your fucking job as a CISO and not just spout some insane and harebrained password requirements that force everyone to write it down 'cause they cannot remember them. You have to find out how to automatize away security from your workers. Perfect security isn't one where your workers stumble upon it every single time they want to do it, perfect security is achieved if the worker doesn't even interact with it anymore and hence CANNOT fuck it up, neither deliberately nor accidentally.
The aforementioned door could be made secure without causing your worker additional stress simply by giving him a RFID token and the door opening if it is being scanned. If you want to make theft of the token unlikely, activate it when the worker signs in in the morning (using the RFID token and a pin key, so someone stealing the RFID token would not know the pin) and deactivate it when he leaves. This is trivially possible and if whatever you have to secure is so important, the cost for implementing this are negligible as well.
But you have to do it. Instead of just offloading the burden of security onto your workers.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
. . . .to worry about passwords. Both my daughters work at the local hospital, a regional medical center. ~450 beds. 5000+ employees.
IT Shop ? 3 people. They're too busy putting out brush-fires to even THINK about more than out-of-the-box configs. It's to the point that both daughters (one is a ward admin, the other a radiology trainee ) spend about a third of the time as de-facto frontline IT Techs.
I rather suspect it's not an isolated case. . .
DHS being the Defense Health Service of the DoD. Someone had the brilliant idea of requiring the use of CACs (ID cards) to log in to terminals used by military medical personnel worldwide. This would satisfy the HIPAA requirements, keep Security happy, make it easy to log who was seeing what, and generally be a Good Thing.
Then it was pointed out that using a CAC for login required a connection to validation servers. And field hospitals in Afghanistan, Iraq, and other places generating lots of patients might not have good connections... Oh, and Navy ships at (and especially under) sea can also lack good connectivity.
Amazingly, the Powers That Be agreed that the Idea, while Good, was not practical, so using the CAC is now recommended rather than required.
Best Slashdot Co
My wife is a practitioner and she constantly complains how when she's with a patient, the system locks her out and demands a password change - which can take several minutes because they have this cloud EMR shit that's hosted across the country and is slower than shit.
Or just having the system time out fast. She's with a patient listening to their health complaints and examining them and then the system times-out and she has to log in again - and go through the obscene obstacle course of a UI to get back where she needs to be.
Of the jobs she's had and my experience in that environment, I have yet to see a medical system that has the practitioner in mind. As my doctor says, "These things are written for the insurance companies and many times make no sense to us."
Biometrics in a hospital setting are hard lots of gloves lots of issue with sterilization. Contactless is pretty easy the problem is you have upteen vendors that do not work with it. It's a case where you need something like HIPPA or similar to require it vs a nebulous you should follow good standards to get all the suppliers to get working with a standard.
No sir I dont like it.
If you could go into any govt office and look around its just as bad with post it notes with all kinds of login information everywhere. What I don't get is when looking at these they look like they have been put there since the beginning of time. Now I don't know about most of you but if I typed the same login information in for decades the last thing I need is a post it note. So no im not buying this "we cant have passwords and save lives" bullshit because it happens in office settings were no lives are at risk and still see the same lazy ass attitudes towards security. Call me an IT nazi but I would tear them all down and the first person that put up a post it note with login information on it would be immediately fired. Im sure if you fire a few of the worst offenders that others would catch on that this is no longer acceptable.
most hospital devices should NEVER require a password for physical access and use.
To remember passwords, I have lives to save!
Captcha: Predict
Shouldn't the expectation of privacy / security also be discussed?
Everyone should have an expectation of privacy, however, is such a potentially chaotic setting, should we still have such strict restrictions? Shouldn't the individual have to accept some risk to his privacy in such a setting when taking advantage of it?
Perhaps the restrictions themselves should have some language that would only punish those that are negligent with the patient's privacy - allowing IT to relax their restrictions somewhat and explore other mechanisms to increase privacy but allow for action to be taken when needed. (ex. general staff awareness of privacy / security requirements)
Thoughts?
The Password is...
AntiBioticResistant.
There is a right way and a wrong way to do this. In my experience, all the hospitals do it the wrong way - which is to write down the actual password.
The correct way to do it is simple, right down a password that is systematically wrong.
If the password is 845, write down 734.
If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard).
simple cryptography works fine.
excitingthingstodo.blogspot.com
Sounds like the perfect place to implement biometric security measures,a simple self cleaning finger print scanner seems ideal for this situation..
The fact that we IT professionals have not come up with a universal replacement for passwords is the IT industry's biggest failure in my lifetime.
Security professionals cannot simply demand that business stops when security policies are not met. IT security and policies should support the mission of the organization - not the other way around.
For starters, go ahead with your weak rationalizations about why any of these critical devices need to be on a network that is also connected to the Internet.
Go ahead...
We play the game with the bravery of being out of range
There are some places where security just isn't needed. Where I work we are having discussions kinda like this:
Security team: All new products must support two-factor authentication!
Development: On the juke box??
What you just tried to say might be interesting. Can you try writing it as sentences rather than words in seemingly random order with commas inserted at random? Then readers can know what you are trying to say.
The chorus will now all sing, "You can't always get what you want" I set my priorities, the IT staff sets their priorities, the administration sets their priorities, etc What about the patients???
" and mostly go unnoticed by hospital IT staff."
and mostly go willfully unnoticed by hospital IT staff.
Fixed that for you.
Though it is more correct to say "hospital IT staff turn a blind eye to the practice".
Because, that biometric and password-protected issue-the-drug-machine you mentioned ? Likely a Pyxis SupplyStation, and ***very*** easily hacked. With a screwdriver. They even discussed it here on Slashdot several months ago. . .
Proximity badges for doors/computers, and fingerprint scanners for medication/supply dispensers solves the problem.
But since that costs money to implement, management prefers to push the blame for non-compliance to the individual rather than admit the system is hindering efficient work practices.
Maybe another few committees, a self-learning powerpoint presentation (or five), and a mandatory in-service will show the peons the error of their ways.
That's not my work password, it's my debit-card PIN!
I write my work password down on the back of my debit card.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I'm sure there are viable solutions to these kinds of problems, as others have mentioned it's about striking a balance between security and accessibility.
Personally, I'd think this scenario would best be suited to magnetic/swipe cards.
You could also take a deterrent approach as opposed to a prevention approach by allowing access to things with no restriction, but unless a security measure is taken an alert is raised, i.e. alarm. This would deter opportunists while allowing staff access in an emergency without a security measure.
I'm the Admin for a High-Tech factory. While we do use some very dangerous chemicals, those are pretty well restricted using physical means. However, on the factory floor itself, the company has historically used shared passwords for most of the manufacturing tools themselves. While this doesn't currently pose much of a safety threat, it does make tracking "who did what" basically impossible. Additionally, we were recently acquired by a Public company, and due to SOX, the whole "shared password" thing is a big no-no. While my problems are not as nearly "life or death" as the Medical scenario, I can relate.
As a replacement authentication technology, I've been investigating various Biometrics, RFID cards, etc., as possibilities. Some could work, but face potential barriers in my environment (our factory is a "Clean Lab" environment...everyone has to wear Clean Suits, gloves and masks.) Because of the gloves, things like Fingerprint scanners won't work. Face recognition doesn't seem to be up to par yet based on the trials I've done. The use of RFID tags would work, but then you have the issue of potential theft of said tag.
I haven't had time to try one yet, but years ago at an office building I worked at, they had a sort of "hand measurement" system...basically, you would put your hand on the plate and squeeze some pins between your fingers. Then you would have to enter a PIN on a keypad. I could see something like this working in my environment, but frankly haven't had time to go looking for one.
In the end, it seems that Password security is the best (especially if it is Multi Factor,) but is not always practical. I wonder what others have used as alternatives.
Endemic? Endemic? Don't you mean "nosocomial"?
It also required me to train users on posix permissions and how to properly collaborate in a unix-like environment
Are you posting from 1993?
We play the game with the bravery of being out of range
Endemic1?
"Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. "
Hardly. Bad hygiene in hospitals kills over 100.000 people a year in the US alone.
http://abcnews.go.com/GMA/stor...
Pressure to perform QUICKLY, ALL THE TIME, on every 16 hour shift.
One company has announced the new product line called Password PostIts, specifically for this misuse.
These are just as easy to use.
1.Write the password down on the post It.
2.Peel off.
3.Stick in a convenient location, preferably visible to human traffic
4.Sell them by the gajillions
5.Profit!
What makes them unique is they are non-stick postIts. Other than being lime green, they really don't stay on for very long.
WARNING: Smartphones have side effects--most of them undocumented.
The IT staff felt I was competent enough to be given Admin access to my machine. So I shrank the Windows partition and installed Debian in the empty space. Works great! I can do my work just as well on Debian as I can in Windows
This is a social problem and IT tries to solve it with a technical solution. Enforcing this technical solution will not solve anything. At least not in the long run.
The issue is that everybody looks at the problem as a problem with THEIR system and forget that security is not a technical issue. It is a social issue. It is a process and humans are the most important part of that process as well the reason it exists.
I have some hundred websites with passwords. At mu job I can not even select my login, so that is an added bonus. Not all are maintained systems by our IT department. I am not an IT person, so I have no way of installing some password reminder program on my work PC (OK, I could and get fired for installing software on the system)
I have one system the rquires me to change the password EVERY FUCKING WEEK!
So yes, I make use of simpeler passwords. I write down the one that I need to change each week.
I have asked and not often gotten an answer why I must change my password every 30 days. If I need to change it every 30 days, why not 29, or 7 or every day? If I would need to replace my lock at home every month, I would doubt the security standard of said lock.
Unfortunately I do not have a solution. I just know what we have now is not workable anymore.
Perhaps a method where you use an RFID in combination with a PIN or even Bluetooth in combination with a PIN might work. Forgot your RFID? The procedure to get a backup should be pretty easy to implement.
There should also perhaps be a need for an 'override' procedure.
Whatever the solution is, you need to work with the people you want it to use.
Don't fight for your country, if your country does not fight for you.
If you forget a password, someone may die right in front of you.
I'm surprised that more hospitals haven't implemented CAC:
https://en.wikipedia.org/wiki/Common_Access_Card
You generally need a pass card for most offices now anyway, so allowing it may not be a bad idea. When the work day first begins, you login with BOTH the passcard AND a password, which starts a 4/8/10 hour timer window. With-in that window you can only SIMPLY use your card to login, but once it passes you have to re-login. This way if the card is lost you still need two-factor.
Basically putting a Kerberos ticket on the card for single sign-on for a limited time.
There is a password for seemingly every cabinet, door, closet, med cart, wireless and wired devices (not just your dozen patient record accounts, but little things like glucometers and every other gadget), other computer accounts, etc. and each has it's own rules (length, special chars, caps, numbers) and they expire frequently, but at different intervals. Is it any wonder that people can't remember them all? I have over 100 account at the few hospitals I work at. They are written in a card in my wallet, in marker on my ID, on door frames, and on the wall above the Pyxis (free narcs to anyone who can figure it out).
The biggest security problem here is the complexity... no one can realistically be expected to commit this mess to memory.
Fingerprints are not the answer... I wear gloves a lot of the time. My anecdote here is that I needed a med for a patient in distress from a cart that required a fingerprint... I pulled off my glove and the cart wouldn't recognize my sweaty fingerprint. Nurses were running up and down the hall and none of the carts would open. I sprained my ankle trying to kick the door off. The situation progressed to CPR on a young and healthy patient. The situation resolved without any damage to the patient. These situations need to stay anecdotal because they can't be allowed to happen with any frequency. ...But the IT situation gets worse month by month.
.. nameless which I worked at in IT at the early 2000's.
Network security was non existent. A few of us actually had NT4 and Windows 2000 desktops and actual domain accounts to login with, everyone else had Windows 98, and either a shared dept login or would just hit escape to bypass the login screen. At least the different medical apps required users to have a login for each one, but again login sharing was common as was writing down passwords because NOTHING was single sign on.
The cause of the issue at the end of the day was that IT was usually lumped in under Finance somewhere, and all Finance does is question every dollar spent with no interest in how to do IT properly. So a lack of money, and management leads to that mess.
Things were being improved around the the time I left a few years later, but as with most publicly funded government run organizations, the systemic issue of middle managers getting them selves involved in everything with their personal agendas basically kills off any hope of getting things done right and properly for the organization as a whole and in a way that the IT staff might actually get some form of enjoyment out of what they're there to do.
They don't invest the money to make things work smoothly in their IT service, it just has to work. The last hospital I worked for had no central authentication service. You had over a dozen passwords, they all needed to be changed at different times, and all had different requirements.
Some of the better systems I've seen had a PIN number tied to your longer password. The pin was only good for your shift and you had to change it on your next shift. It resisted brute force by locking out after so many attempts. It was expensive, so of course my hospital didn't want it. However they didn't mind dumping the cash into someone who tirelessly changed passwords all day long.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
Patient care cannot be delayed by anything, especially critical patient care. The specter of being slowed down by screwing up typing a complex password, forgetting a complex password and having to retrieve it, or other delays associated with passwords, are a direct threat to patient health and can lead to serious injury or death.
I remember when OSHA proposed a rule requiring a lockout device on a cardiac defibrillator to ensure that only qualified persons could use it. Fortunately that didn't go through, but technically, guarding rules still apply. Technically, the paddles require guarding, because they have voltage above 50 volts between them in normal operation. This would mean some kind of guard to prevent the conductive surfaces of the paddle touching anyone's skin while the device was in use. The guarding rule would also require someone verify the paddles were not energized before they were allowed to touch anyone.
Makes perfect sense to me - wouldn't want anyone getting shocked by a defibrillator, would we?
Implant all the staff with chips. The kind they use for pets.
Then they can log on by head-butting the computer.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
It also required me to train users on posix permissions and how to properly collaborate in a unix-like environment
Are you posting from 1993?
Are you also posting from inside an Escort Wagon?
Mordac, preventer of information services, is that you? Because it seems like all you've accomplished is making things way harder for everyone...
Worked with hospital data, patient data, and data from medical test devices for the last 35 years.
Security across the board is extremely poor, and many companies are secretly trying to monetize health data from private citizens.
If you find a company that puts medical data 'in the cloud', they will be hacked, or have been hacked already, and the data is 100% insecure.
For 35 years I have had to attend ethics training, with the same set of ass-clowns that don't have one ethical fiber in their body and don't give a crap about medical data or its security.
And, it will never improve one bit in the next 35 years either, as the companies in the u.s. don't consider data integrity and security something important.
The end-user is rarely schooled in ANYTHING IT-related. Keyboards are an obstacle. Mice are an obstacle. Add bureaucracy to this and you have very frustrated users who are not going to take kindly to passwords or any other additional obstacle.
Last time I saw a doctor he was forced to "code" the X-Ray I was about to get in one of about fifty different codes made necessary by the accounting system. He couldn't see the extended explanations on the page because the data elements had been squished together. Obviously an SQL database. I helped him along.
"First you need to expand that window to fill the entire screen."
"How do I do that?"
"You see that empty square at the top right? Click that."
(Screen expands. Data is still hidden.)
"OK. Now take your mouse and grab that very tiny vertical bar separating those two fields and drag it to the right."
(Fumbles around.)
"No. Move the mouse until that vertical bar doubles. Now press the left mouse button and drag to the right."
"My God. Now you can see the whole thing!"
"Uh huh."
All the time he was complaining about the bean counters. Finally, he just chose a code at random. I got my X-Ray, then an MRI. Torn meniscus. Still hurts.
How about a moderation of -1 pedantic.
The Password is...
AntiBioticResistant.
Sorry Dave. The password you entered is a vulnerable to a dictionary attack. Please enter a new password conforming to the Information Systems Security Protocol Password Requirements Directive and Manual v2.79191. You have three more attempts before the system locks your account for 30 days.
We don't need a password on every device and door for security. Patients have a welcome lobby where they are screened for security on the way in. Doctors enter through another door that scans credentials and screens for security. Once inside, that's it! No one should have passwords on ANYTHING.
I don't have passwords with anyone who knows me. They know me. Here is a $10,000,000,000 Idea. Figure out how to get rid of passwords. These insipid things must go!
That's a pretty short sighted comment considering the audience here.
A small medical company trying to develop a fetal link monitor to transmit data can do its best to secure its software. But when all the hackers from the US, Russia, Iran, China, and North Korea find a blip on the IP scanners, you can bet they will find a way to compromise the software. And if not the software, there are the API's, OS, protocols, and even hardware that can be vulnerable underneath a hardened application.
Absolutely. Even if walled off to only a local clinic, there would be tens of thousands of patients records accessible.
That's an argument I hear quite often.
But the reality is that people usually have lots of time. They are seriously lazy and adverse to security or paperwork or really anything harder than their paychecks direct depositing into their accounts.
To think of the time savings provided by a system that lets a user access all the patients records from one desk. Without needing to request a paper chart pull or a image from Xray couriered over. And yet they balk at the idea of remembering 8 letters.
Most physicians are coddled and have a whole team working for them so all they need to do is stroll down the hallway and chat with a few patients while pretending to care. Then they can get back to their live streaming ball game while digitally signing a few prescriptions their PA's filled in.
The machine isn't there to prevent all intrusions, such as someone with a screwdriver or prybar. It is there to prevent medications from randomly going missing. I repair the machines at a few local hospitals. Yes, they are more secure than having unlocked cabinets of pills, and as secure as having locked cabinets of pills.
The major purpose of them is the fact that the staff have to log in, identify a patient, verify that the patient has certain medicine prescribed, take that medicine, and confirm quantity. For the controlled substances, they are in locked bins within the drawers, so that you can't steal them while getting something else. The common medicines aren't worth the trouble of stealing, so are in unlocked bins.
But, hey, if you can push the cart down the hall to your truck and drive away, you can have all those dosages of opiates. Good luck on that.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
Yes; welcome to the medical industry.
I work for a hospital. I just counted 32 different systems that I need different passwords for.
There are alot of good comments here that all true in our hospital environment.
Patient care is always top priority and trumps everything else including IT and business needs.
This isn't a new problem and I'm sure its not unique to health care or other similar industries.
Technology has been a boat anchor dragging down the industry thanks to regulations like Hippa, and requirements that all records be kept electronically. Paper charts are banned. now. This is a classic example of what happens when legislators regulate something they know nothing about. I see it everyday, as I work at the helpdesk of a major midwestern hospital chain. I am convinced all the technology that end users can't figure out has led to dead and injured patients. I am a perma-temp, where I work, not an employee. Outsourcing in healthcare is another problem, but not the one we are talking about here. Anyway, many people working in healthcare are technically illiterate, and refuse to learn. Also software like Epic is too complicated for anyone but engineers. My mother, who was a nurse, is now happily retired. Epic and other high tech whizbangs made her last years in the industry hell. The worst part of it all is cost. Computers, commercial software, and all the support staff needed cost so much more than paper charts did. All they really needed to do was to make PDF of the old paper charts, and let people type into them That would have fixed the problem of scribbly doctor's handwriting. Washington broke it. Will they ever fix it?
The Uncoveror: It's the real news.
They actualy work rather well for my pets the cat flap uses them. Would need more security that just a serial number though.
No sir I dont like it.
I am in the process of moving from one large academic medical center to another, which will be my third.
When I arrived at the second institution, I was amazed at the IT policies. For one, they used some bastardized login system, which only really applied to the medical records system. So if my email was open, then I locked my computer and someone else walked up and logged in, they could read my email.
The auto-logout timeouts were so short, that if I was using the computer, then a nurse came in and we had a quick conversation, by the time I turned back to my computer, I would have to log in again. I would log in literally 100s of times a day when I was a junior trainee. Each log in took 30-300s to put up a usable EMR. This applied to all computers, even computers that were in physically secure areas (IE, you had to have badge access). Many people would circumvent this system with "mouse wiggle" type apps.
We only had to change our passwords yearly, but the rules for new passwords were insane and I would end up writing them down.
There is *no* security to the paging system, so anyone with the thought to Google " paging" could run wild.
*All* of the doors that I used had keycodes written on the jamb. If they weren't there, I wrote them. I didn't want to have to tell a loved one that their relative died because we couldn't get into the supply room to get the equipment we needed in an emergency.
At my current institution, when I started it took over a week to get me access to the email system. IT literally couldn't figure it out.
The password misuse isn't by medical staff. It's IT that is abusing standard password policies that aren't designed for man-rated procedures.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Based on my [very long] experience watching people deal with this in the real word....
The #1 reason passwords are written down is because of stupid, backwards, unnecessary expiration rules. It is in insane practice that somehow became "best practices" when it should have been declared "WORST practices" decades ago. When your perfectly good and memorized password expires every X days, you are going to either start writing it down, or make it insanely weak (or duplicated with other systems) so it can be remembered.
The #2 reason passwords are written down is because of stupid, backwards, unnecessary complexity rules. Yes, there have to be some minimum requirements (length, numbers) but some stuff is WAY overkill (I saw one that was it had to be 10 characters, with at least TWO of each- number, symbol, and caps).
Consultants/Politicians: We're going to move you to electronic healthcare records, you're going to love it! ... now what?
Doctors: I know it's old fashioned, but my paper records worked fine, why do we have to change?
Consultants/Politicians: Ha, ha, that's adorable. Now sign here to get your e-records database for $500k.
Doctors: Do I have to?
Consultants/Politicians: Do you like jail?
Doctors: Okay
Consultants/Politicians: Welcome to the future! Now, you and your staff just have to take this one week course to learn how to use our awesome software!
Doctors: When do I go back to being a doctor?
Consultants/Politicians: Ha, silly. Now every you time you see a patient, don't forget to check these sixteen boxes, double click twelve times in the box, and go through the four drop-down menus where the selection is always the second to last. And of course, make sure you click the box releasing us of liability!
Doctors: This is ridiculous, and these password requirements?
Consultants/Politicians: We're doing that for your benefit! It's so easy, just change your password twice a week, and make sure to use at least one letter, one number, and three chinese symbols whenever you choose one.
Doctors: Where's that post-it pad?
Consultants/Politicians: OMG! You wrote your password down, you have been hacked, how could you possibly break such a fool-proof system!
Fast Federal Court and I.T.C. updates
thats why. Though I have read recently they are trying to get into surfers medical queries by "making it convenient" or something like that.
Labs and ICU's are unlikely to take a Windows 10 update with their issues.
They want your data, meaning the government. Now why would this be? What did Ed Snowden tell the world?
Let us not forget the government database that Facebook is.
Implant all the staff with chips. The kind they use for pets. Then they can log on by head-butting the computer.
This was modded interesting but should be modded informative. Took my spouse in for routine surgery recently. Every single staff person used their ID card around their necks to get into EVERYTHING. It was faster and easier than typing a userID/password or even punching in a random keycode. It also provided a layer of authorization to keep staff OUT of more restricted equipment.
I'll confess my ignorance of the healthcare industry and will ask for a fellow Slashdotter to educate me - why is this not more commonplace?
Do they have to handle the card to place it in the reader, or can they just bump against it? There are hygiene concerns here.
My suggestion was a bit facetious, but there are more practical hands free methods.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
And of course they probably meant to be hyperbolic and cute by saying that it was 'Epidemic'. But instead they they were redundant and said that password misuse by hospital staff was not externally caused but instead originated with the staff themselves.
Frankly I was really surprised that nobody here called the writer on this shit earlier..or is it sooner?
It's not just passwords , lack of proper security leads to open file shares. That's why many hospitals have been subject to cryptolocker and other malware.
You just don't hear about it in the news.
RFID chips are a wonderful tech to replace passwords, Couple the RFID with some biometrics and you prevent stolen or borrowed card use. Wave the proximity card over the pad and insert hand in the reader... the door unlocks and records who went in at what time. For computer terminals, insert card in ready and scan a thumb print. If the card is withdrawn; the terminal logs you off and goes to sleep mode.
The biggest bugbear with this system is the "power failure" and "network outage" protocols. You need backup keys to critical doors and someone in charge to open the key box in an emergency. It would probably be best to leave the key to the emergency box in the custody of a senior nurse for a floor. Physicians don't have the mindset to be enabling others to do their job in an emergency.
This stuff was cutting edge in the 1990s and is proven technology for the nuclear industry since then. In 2003 there was a multi million dollar grant to study the feasibility of such tech which was "turnkey" in industry already. By 2014 you saw a limited use roll out of rfid id cards in, of all places, the Veterans Administration. It has been too long since I was active duty but the new military ID cards sure look like they contain a rfid and a smart chip.
NRRPT/RCT
endemic is my password!
Star Trek transporters are just 3d printers.
Pencils are very resistant to virus attacks.
We're speaking about hospitals.
Google about "Nosocomial infections", "MRSA", etc.
Nope. Not even pencils are resistant to virus attacks.
Just not the same virus.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Hey wait, didn't there used to be an invention just like this, but completely mechanical?
And given the complexity of a modern hospital, you'd have about half a kilogram worth of keys on your keyring just to get around.
And in some emergency situations, you will need to quickly to yank 4 of them out of your keyring and throw them to a medical student passing by (or a medical nurse passing by which by chance happens not to be required by the emergency) to send them to the pharmacy to bring you some extra medication.
Long before the invention of password, physical keys used to be "hidden" nearby critical doors.
(e.g.: Legally, morphine needs to be locked. But morphine can definitely be needed in a case of emergency. Therefor the key to access the box with morphine is hanging on a chain nearby).
(Actual anecdote in one of the military clinics were I've worked).
The closest actual equivalent that works up to some point is a wireless keycard (usually integrated into the name tab), with the infrastructure programmed to allow you around depending on it.
(I.e.: the access doors don't require a specific pin code, but are programmed to allow personal with a keycard which has been validated for that door).
(More or less done this way in the hospital where I did my studies).
But even then you'll find problems:
- You would need to give very broad access rights to very large groups of personnel, which isn't considered as a very bright practice.
(e.g.: absolutely all doctors and medical students would need to be granted access to nearly every door. Except maybe for the server room, the elevator shaft and the high-voltage transformation station. Because there are actually dozens of emergency scenarios where this will actually be needed)
- Or you need to find a way to quickly grant access to someone else.
- And even then, you need to make sure you have a correct strategy to make sure that all the access rights are up to date.
- You must be sure that the system won't block legitimate emergency access in case of total failure.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Also, no, someone won't die right in front of you because of a forgotten password, except maybe in a movie. Real-life healthcare doesn't work like that.
But real-life insurance, politics and regulation *do*.
e.g.: "Scheduled substance must always be kept locked" says the regulation. So they're in a locked box.
(Because, you know... some drug addict my steal them from a hospital for a change instead of trying to cook meth in their garden shed as usual~ )
But half of those scheduled substances might actually become useful in some emergency cases.
So the key to this box is hanging on a chain nearby / the pincode is written on a sticky note on the door.
(I'm not making this up, I've seen such situations).
A young docotor might be on night shift / rounds in internal medicine.
Means they are the only on on the whole floor (not only their sector but all the other sector on the same floor), and are the first responder in case of emergency until more staff is summoned and arrives.
If anything happens, they'll need to have access to all the necessary medication (some not so small backpack, filled with ampoules of nearly every substance needed. Some of which are regulated so the backpack needs to be locked when not in use). They need to have that access unhindered (there should be no confusion because they're not in their usual sector and not know necessarily how to access the backpack).
Hence the "misuse security" solution above.
Otherwise they would need to carry their own (not light at all) backpack everywhere with them (I've seen this also on some situations of military medicine or on terrain emergency response).
And that's just the drugs.
There's also the problem with devices. Ultrasound images come *EXTREMELY* handy in several emergency situations (to quickly see what's inside, to better and faster pinpoint a blood vessel or a nerve or the airways for some procedures, etc.)
If you can't get your image *NOW* just because you need to log into the fucking computer, somebody is going to die.
At least for that situation the tendency is changing. Instead of the just honking "computer on a tray with an US-imaging head" attached to it, emergency medicine is starting to rely on very small portable device (the size of a netbook, a tablet, or even a smartphone) that are completely offline (their only mean of communication with the outside world is a USB or SD port to save picture to- / upload updates from-) and contain no patient related data (the only attached metadata is the current time the picture was taken. And by "metadata attached", I mean it's part of the file name, because the device doesn't even bother to fill in the corresponding DICOM fields.
(= it a standard medical imaging format. A bit like what JPEG is for internet picture. And just like JPEG can have EXIF, a DICOM can contain a lot of information from the patient file)
So it's just: open the device, shoot the picture, done. No fumbling wiht stupid passwords.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Woah! That sounds like a wonderful place to work in!
I wish I did my intership there instead of the usual understaffed place, similar to the one described above.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
That was the strategy in place in the hospital were I've done most of my internship.
The name tab doubles as a smartcard.
Except that, to be able to actually function, they need to give very broad access rights to very large segment of their personnel.
e.g.: all doctors, and nearly all medical students, can open almost any door (with very few exceptions like high voltage transf. station, elevator shaft, etc.)
Which isn't the best practice from a security point of view, but is the best compromise between regulation (everything needs to be locked !!!) and emergency situations (need to send the student to get some medication).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]