Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Finds Password Misuse In Hospitals Is 'Endemic' (securityledger.com)

Posted by BeauHD on from the password123 dept.

chicksdaddy writes from a report via The Security Ledger: Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. That's the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are "endemic" in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments -- with the bad behavior being driven by necessity rather than malice. "In hospital after hospital and clinic after clinic, we find users write down passwords everywhere," the report reads. "Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We've observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door -- no one wanted to prevent a clinician from obtaining emergency supplies because they didn't remember the code." Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. "IT want to be good guys. They're not out to make life miserable for the clinical staff, but they often do," he said.

2 of 198 comments (clear)

  1. Apply security where it makes sense by MobyDisk · · Score: 3, Funny

    There are some places where security just isn't needed. Where I work we are having discussions kinda like this:

    Security team: All new products must support two-factor authentication!
    Development: On the juke box??

  2. Re:Just amazing by MobyDisk · · Score: 5, Funny

    This is great, because I am on the other side of that, possibly building that 500,000€ paperweight right now!

    Security: You must provide a way to remotely update your medical devices so they aren't vulnerable to zero-day exploits!
    Me: Okay, I will turn on automatic updates.
    Regulatory: Wait! Software changes must be tested and approved first. That takes a few months.
    Customer: Our regulatory group says the lab must be air gapped.
    Everyone: *Head explodes*