Slashdot Mirror
Study Finds Password Misuse In Hospitals Is 'Endemic' (securityledger.com)
chicksdaddy writes from a report via The Security Ledger: Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. That's the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are "endemic" in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments -- with the bad behavior being driven by necessity rather than malice. "In hospital after hospital and clinic after clinic, we find users write down passwords everywhere," the report reads. "Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We've observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door -- no one wanted to prevent a clinician from obtaining emergency supplies because they didn't remember the code." Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. "IT want to be good guys. They're not out to make life miserable for the clinical staff, but they often do," he said.
Having been in the trenches for a number of years, it isn't just heathcare where password misuse is 'Endemic' I am not sure how paywalled this article is but this here: ~~ "Those two, competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said." ~~ I've been in their shoes, and at the next HIPAA Compliance check they are doomed with IT taking most of the blame. We can only advise them in the end to follow best practice. Anyone have an article about a doctor being fired for password misuse and not IT? Just my 2 cents.
I work in an analytical simulation lab, and as a sysadmin these guys are notorious for sharing their passwords either out of an inability to understand unix file permissions or out of callous disregard. I was told when I joined that "this is just how it is" and that kind of management level complacency is what i think drove it all.
my solution was 3 fold. First, I expired everyones password. Next, departments are restricted to their specific laptops and workstations. Analytics should not be logging into design workstations, or vice versa. And finally, yubikey for anyone who needs access to finite elements or VPN, or simulator hardware that runs in a test chamber. The whole thing required serious management buy-in, which was easily the hardest part. It also required me to train users on posix permissions and how to properly collaborate in a unix-like environment, which for most newer college grads was completely foreign. greybeards in the labs were a huge help here.
Good people go to bed earlier.
. . . .to worry about passwords. Both my daughters work at the local hospital, a regional medical center. ~450 beds. 5000+ employees.
IT Shop ? 3 people. They're too busy putting out brush-fires to even THINK about more than out-of-the-box configs. It's to the point that both daughters (one is a ward admin, the other a radiology trainee ) spend about a third of the time as de-facto frontline IT Techs.
I rather suspect it's not an isolated case. . .
My wife is a practitioner and she constantly complains how when she's with a patient, the system locks her out and demands a password change - which can take several minutes because they have this cloud EMR shit that's hosted across the country and is slower than shit.
Or just having the system time out fast. She's with a patient listening to their health complaints and examining them and then the system times-out and she has to log in again - and go through the obscene obstacle course of a UI to get back where she needs to be.
Of the jobs she's had and my experience in that environment, I have yet to see a medical system that has the practitioner in mind. As my doctor says, "These things are written for the insurance companies and many times make no sense to us."
"Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. "
Hardly. Bad hygiene in hospitals kills over 100.000 people a year in the US alone.
http://abcnews.go.com/GMA/stor...
Add to this the great volume of doctors, interns, nurses, technicians, assistants, etc. that need access to these understaffed and overly busy places, and that come and go frequently. You arrive at a unit in the hospital and everything is password protected, all the passwords are different, and you need to get into many of them to do your job and help people in various stages of critical need. Nobody has taken the time to tell you what the common passwords are (for getting into locked rooms) or even given you your personal authorization to get at med dispensing machines, because they don't have the 15 minutes needed to do that (they'll get to this a little later when the breathing is stabilized or the pain is addressed). Don't be surprised that security is squarely in the way of getting things done, but make it easier for people to survive and be productive in this kind of environment.
If you forget a password, someone may die right in front of you.
I'm surprised that more hospitals haven't implemented CAC:
https://en.wikipedia.org/wiki/Common_Access_Card
You generally need a pass card for most offices now anyway, so allowing it may not be a bad idea. When the work day first begins, you login with BOTH the passcard AND a password, which starts a 4/8/10 hour timer window. With-in that window you can only SIMPLY use your card to login, but once it passes you have to re-login. This way if the card is lost you still need two-factor.
Basically putting a Kerberos ticket on the card for single sign-on for a limited time.
No, the devices need to be connected to a private LAN where they can, in-turn, talk to machines that may also need to talk to the internet.
Yup. These are things that, by their use, need to be fail safe rather than fail secure. And, yes, they really need to be air-gapped from the internet. But that would be inconvenient to the administrators and developers, so they prefer instead to make it inconvenient to the practitioners.
Air gapped systems have their own problems. Embedded and dedicated systems already have a completely dismal record when it comes to getting updated, and disconnecting them from the internet only makes that problem worse. And not just security updates, but functional bugs that actually put patients at (greater) risk. And more and more complex systems have phone home capabilities for remote monitoring and proactive support, capabilities that stop working when you air gap the systems.