Slashdot Mirror
Study Finds Password Misuse In Hospitals Is 'Endemic' (securityledger.com)
chicksdaddy writes from a report via The Security Ledger: Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. That's the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are "endemic" in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments -- with the bad behavior being driven by necessity rather than malice. "In hospital after hospital and clinic after clinic, we find users write down passwords everywhere," the report reads. "Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We've observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door -- no one wanted to prevent a clinician from obtaining emergency supplies because they didn't remember the code." Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. "IT want to be good guys. They're not out to make life miserable for the clinical staff, but they often do," he said.
Having been in the trenches for a number of years, it isn't just heathcare where password misuse is 'Endemic' I am not sure how paywalled this article is but this here: ~~ "Those two, competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said." ~~ I've been in their shoes, and at the next HIPAA Compliance check they are doomed with IT taking most of the blame. We can only advise them in the end to follow best practice. Anyone have an article about a doctor being fired for password misuse and not IT? Just my 2 cents.
I work in an analytical simulation lab, and as a sysadmin these guys are notorious for sharing their passwords either out of an inability to understand unix file permissions or out of callous disregard. I was told when I joined that "this is just how it is" and that kind of management level complacency is what i think drove it all.
my solution was 3 fold. First, I expired everyones password. Next, departments are restricted to their specific laptops and workstations. Analytics should not be logging into design workstations, or vice versa. And finally, yubikey for anyone who needs access to finite elements or VPN, or simulator hardware that runs in a test chamber. The whole thing required serious management buy-in, which was easily the hardest part. It also required me to train users on posix permissions and how to properly collaborate in a unix-like environment, which for most newer college grads was completely foreign. greybeards in the labs were a huge help here.
Good people go to bed earlier.
. . . .to worry about passwords. Both my daughters work at the local hospital, a regional medical center. ~450 beds. 5000+ employees.
IT Shop ? 3 people. They're too busy putting out brush-fires to even THINK about more than out-of-the-box configs. It's to the point that both daughters (one is a ward admin, the other a radiology trainee ) spend about a third of the time as de-facto frontline IT Techs.
I rather suspect it's not an isolated case. . .
"Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. "
Hardly. Bad hygiene in hospitals kills over 100.000 people a year in the US alone.
http://abcnews.go.com/GMA/stor...
Add to this the great volume of doctors, interns, nurses, technicians, assistants, etc. that need access to these understaffed and overly busy places, and that come and go frequently. You arrive at a unit in the hospital and everything is password protected, all the passwords are different, and you need to get into many of them to do your job and help people in various stages of critical need. Nobody has taken the time to tell you what the common passwords are (for getting into locked rooms) or even given you your personal authorization to get at med dispensing machines, because they don't have the 15 minutes needed to do that (they'll get to this a little later when the breathing is stabilized or the pain is addressed). Don't be surprised that security is squarely in the way of getting things done, but make it easier for people to survive and be productive in this kind of environment.
No, the devices need to be connected to a private LAN where they can, in-turn, talk to machines that may also need to talk to the internet.
Yup. These are things that, by their use, need to be fail safe rather than fail secure. And, yes, they really need to be air-gapped from the internet. But that would be inconvenient to the administrators and developers, so they prefer instead to make it inconvenient to the practitioners.
Air gapped systems have their own problems. Embedded and dedicated systems already have a completely dismal record when it comes to getting updated, and disconnecting them from the internet only makes that problem worse. And not just security updates, but functional bugs that actually put patients at (greater) risk. And more and more complex systems have phone home capabilities for remote monitoring and proactive support, capabilities that stop working when you air gap the systems.