Slashdot Mirror
Study Finds Password Misuse In Hospitals Is 'Endemic' (securityledger.com)
chicksdaddy writes from a report via The Security Ledger: Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. That's the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are "endemic" in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments -- with the bad behavior being driven by necessity rather than malice. "In hospital after hospital and clinic after clinic, we find users write down passwords everywhere," the report reads. "Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We've observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door -- no one wanted to prevent a clinician from obtaining emergency supplies because they didn't remember the code." Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. "IT want to be good guys. They're not out to make life miserable for the clinical staff, but they often do," he said.
If you forget a password, someone may die right in front of you. You can choose to write that password down and reduce security, or you can take a chance that you'll forget what this month's 12 character combination of at least two upper case, two lower case, 2 numbers, and 2 non-alphanumeric characters is in a pressure situation and the result will be death or injury to a human in your care and, likely, a lawsuit and dismissal.
Until this is fixed, people are going to write down passwords.
Is it just my observation, or are there way too many stupid people in the world?
because people can't remember the password or code for that exact door or device? at some point you accept some lapse in security for the greater good
Having been in the trenches for a number of years, it isn't just heathcare where password misuse is 'Endemic' I am not sure how paywalled this article is but this here: ~~ "Those two, competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said." ~~ I've been in their shoes, and at the next HIPAA Compliance check they are doomed with IT taking most of the blame. We can only advise them in the end to follow best practice. Anyone have an article about a doctor being fired for password misuse and not IT? Just my 2 cents.
Let me remind everyone here that there are always two failure modes of a simple component, type 1 and type 2. A switch can fail open-circuit or short-circuit; a lock can fail locked or open, and a password failure can be either "will let people in who shouldn't be allowed to get in" or "won't let people in who need to get in".
You can alway take one failure rate to zero by making the other failure rate 100%. Reducing the rate of type 1 errors tends to increase the rate of type 2 errors, and vice versa.
Basically, the hospital workers are voting "there are too many errors of the type "can't get in when we need to", and we need a work-around to prevent this."
http://www.geoffreylandis.com
I work in an analytical simulation lab, and as a sysadmin these guys are notorious for sharing their passwords either out of an inability to understand unix file permissions or out of callous disregard. I was told when I joined that "this is just how it is" and that kind of management level complacency is what i think drove it all.
my solution was 3 fold. First, I expired everyones password. Next, departments are restricted to their specific laptops and workstations. Analytics should not be logging into design workstations, or vice versa. And finally, yubikey for anyone who needs access to finite elements or VPN, or simulator hardware that runs in a test chamber. The whole thing required serious management buy-in, which was easily the hardest part. It also required me to train users on posix permissions and how to properly collaborate in a unix-like environment, which for most newer college grads was completely foreign. greybeards in the labs were a huge help here.
Good people go to bed earlier.
Security that gets into the way of the worker to the point where it hinders him in his actual work will be circumvented without remorse. Actually, it will be done with the justification of increasing productivity. An example:
Take a security door that MUST be closed all the time for security reasons because something valuable is stored behind that door. Now take a worker that has to haul heavy items through that door. The prescribed flow of operation would be that he unlocks the door, goes through it, locks the door behind him, picks up whatever heavy item he has to haul, puts it down at the door, unlocks the door, opens the door, carries the heavy item through, puts it back down, closes the door, locks the door and then carries the heavy item to its destination.
How many times do you think he'll do this before that door is wedged open?
To him, that door is a nuisance and, worse, it is something that lowers his productivity and, in his opinion because he does not know the other implications, hurts his company. It isn't something he does for personal gain where he'd hurt his company, like checking his Facebook page on company time or watching YouTube videos, something he would at least feel guilty for, it is something he does FOR the company because it means he can work faster.
That is by some margin the worst kind of security infraction because it is done without remorse and with a good justification.
How much more likely is something in a health related area where the justification can well be saving someone's life?
This is why you have to plan your security in such a way that it does not impede the workflow of your workers more than absolutely necessary. Yes, that means you have to actually do your fucking job as a CISO and not just spout some insane and harebrained password requirements that force everyone to write it down 'cause they cannot remember them. You have to find out how to automatize away security from your workers. Perfect security isn't one where your workers stumble upon it every single time they want to do it, perfect security is achieved if the worker doesn't even interact with it anymore and hence CANNOT fuck it up, neither deliberately nor accidentally.
The aforementioned door could be made secure without causing your worker additional stress simply by giving him a RFID token and the door opening if it is being scanned. If you want to make theft of the token unlikely, activate it when the worker signs in in the morning (using the RFID token and a pin key, so someone stealing the RFID token would not know the pin) and deactivate it when he leaves. This is trivially possible and if whatever you have to secure is so important, the cost for implementing this are negligible as well.
But you have to do it. Instead of just offloading the burden of security onto your workers.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
. . . .to worry about passwords. Both my daughters work at the local hospital, a regional medical center. ~450 beds. 5000+ employees.
IT Shop ? 3 people. They're too busy putting out brush-fires to even THINK about more than out-of-the-box configs. It's to the point that both daughters (one is a ward admin, the other a radiology trainee ) spend about a third of the time as de-facto frontline IT Techs.
I rather suspect it's not an isolated case. . .
DHS being the Defense Health Service of the DoD. Someone had the brilliant idea of requiring the use of CACs (ID cards) to log in to terminals used by military medical personnel worldwide. This would satisfy the HIPAA requirements, keep Security happy, make it easy to log who was seeing what, and generally be a Good Thing.
Then it was pointed out that using a CAC for login required a connection to validation servers. And field hospitals in Afghanistan, Iraq, and other places generating lots of patients might not have good connections... Oh, and Navy ships at (and especially under) sea can also lack good connectivity.
Amazingly, the Powers That Be agreed that the Idea, while Good, was not practical, so using the CAC is now recommended rather than required.
Best Slashdot Co
My wife is a practitioner and she constantly complains how when she's with a patient, the system locks her out and demands a password change - which can take several minutes because they have this cloud EMR shit that's hosted across the country and is slower than shit.
Or just having the system time out fast. She's with a patient listening to their health complaints and examining them and then the system times-out and she has to log in again - and go through the obscene obstacle course of a UI to get back where she needs to be.
Of the jobs she's had and my experience in that environment, I have yet to see a medical system that has the practitioner in mind. As my doctor says, "These things are written for the insurance companies and many times make no sense to us."
There is a right way and a wrong way to do this. In my experience, all the hospitals do it the wrong way - which is to write down the actual password.
The correct way to do it is simple, right down a password that is systematically wrong.
If the password is 845, write down 734.
If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard).
simple cryptography works fine.
excitingthingstodo.blogspot.com
The fact that we IT professionals have not come up with a universal replacement for passwords is the IT industry's biggest failure in my lifetime.
Security professionals cannot simply demand that business stops when security policies are not met. IT security and policies should support the mission of the organization - not the other way around.
There are some places where security just isn't needed. Where I work we are having discussions kinda like this:
Security team: All new products must support two-factor authentication!
Development: On the juke box??
Yea, I work at a lab, and a few of our instruments now need to be constantly connected to phone home.
There is no rationale for this. Just more of the clouded thinking that we now have to live with.
It's going to be a rough ride when the IoT gets going, with how weak it's "security" is.
Imagine when "everything" is on a network, with little to no thought about security...
We play the game with the bravery of being out of range
"Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. "
Hardly. Bad hygiene in hospitals kills over 100.000 people a year in the US alone.
http://abcnews.go.com/GMA/stor...
This is a social problem and IT tries to solve it with a technical solution. Enforcing this technical solution will not solve anything. At least not in the long run.
The issue is that everybody looks at the problem as a problem with THEIR system and forget that security is not a technical issue. It is a social issue. It is a process and humans are the most important part of that process as well the reason it exists.
I have some hundred websites with passwords. At mu job I can not even select my login, so that is an added bonus. Not all are maintained systems by our IT department. I am not an IT person, so I have no way of installing some password reminder program on my work PC (OK, I could and get fired for installing software on the system)
I have one system the rquires me to change the password EVERY FUCKING WEEK!
So yes, I make use of simpeler passwords. I write down the one that I need to change each week.
I have asked and not often gotten an answer why I must change my password every 30 days. If I need to change it every 30 days, why not 29, or 7 or every day? If I would need to replace my lock at home every month, I would doubt the security standard of said lock.
Unfortunately I do not have a solution. I just know what we have now is not workable anymore.
Perhaps a method where you use an RFID in combination with a PIN or even Bluetooth in combination with a PIN might work. Forgot your RFID? The procedure to get a backup should be pretty easy to implement.
There should also perhaps be a need for an 'override' procedure.
Whatever the solution is, you need to work with the people you want it to use.
Don't fight for your country, if your country does not fight for you.
If you forget a password, someone may die right in front of you.
I'm surprised that more hospitals haven't implemented CAC:
https://en.wikipedia.org/wiki/Common_Access_Card
You generally need a pass card for most offices now anyway, so allowing it may not be a bad idea. When the work day first begins, you login with BOTH the passcard AND a password, which starts a 4/8/10 hour timer window. With-in that window you can only SIMPLY use your card to login, but once it passes you have to re-login. This way if the card is lost you still need two-factor.
Basically putting a Kerberos ticket on the card for single sign-on for a limited time.
Implant all the staff with chips. The kind they use for pets.
Then they can log on by head-butting the computer.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."