Study Finds Password Misuse In Hospitals Is 'Endemic'

chicksdaddy writes from a report via The Security Ledger: Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. That's the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are "endemic" in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments -- with the bad behavior being driven by necessity rather than malice. "In hospital after hospital and clinic after clinic, we find users write down passwords everywhere," the report reads. "Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We've observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door -- no one wanted to prevent a clinician from obtaining emergency supplies because they didn't remember the code." Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. "IT want to be good guys. They're not out to make life miserable for the clinical staff, but they often do," he said.

Wrong way to write down passwords

[gurps_npc]

There is a right way and a wrong way to do this. In my experience, all the hospitals do it the wrong way - which is to write down the actual password.

The correct way to do it is simple, right down a password that is systematically wrong.

If the password is 845, write down 734.
If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard).

simple cryptography works fine.

Re:Just amazing

General Electrics: "Oh, we didn't tell you but we'll need a 24/7 IPSec VPN to this 500,000€ piece of equipment (and all its consoles) you just bought from us."
Me: "What."
General Electrics: "I know your medical imagery dept. is currently airgapped but hey, easy enough to correct, right?"
Me: "Yeah, no, it's not that easy."
General Electrics: "Then I'm afraid you've got a 500,000€ paperweight until you comply with our demands."

That was last year.

Re:Just amazing

[EvilSS]

Heh, yea it's pretty obvious when people comment on these articles that they never tried to work with doctors (or lawyers for that matter). I've seen a department chair storm into the CEO's office of a large health care org and literally scream at him because he couldn't get to a sports website due to a new content filter. Was he fired? Reprimanded? Asked nicely to call the fuck down? Hell no. The content filter was changed after a huge shitball rolled down that hill onto the IT staff's heads.

Re:Just amazing

You don't even have to have the entire device itself air gaped from the internet, just its primary functions. Put a separate board in each device that has a NIC in it with a one way interface (only receiving data) to the actual health device (heart monitor, IV, etc). ID/Admin can secure the networked part of it to their hearts content and manufactures/bean counters/developers/monitors can still have access to the logs but the actual device functions via simple keys, with maybe a simple hospital wide password that is changed on a yearly/as needed basis just to keep some random nut from messing with the settings.

Re:Researchers Ignore Real World Concerns Yet Agai

[Hognoxious]

Implant all the staff with chips. The kind they use for pets.

Then they can log on by head-butting the computer.