Study finds Password Misuse in Hospitals a Steaming Hot Mess

Physicians and other clinical staff routinely ignore or circumvent security measures, a study found.
Physicians and other clinical staff routinely ignore or circumvent security measures, a study found.

In-brief: efforts by clinical staff to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff, according to a new report. 

Hospitals are pretty hygienic places – except when it comes to passwords, it seems. 

That’s the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff.

The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments – with the bad behavior being driven by necessity rather than malice.

“In hospital after hospital and clinic after clinic, we find users write down passwords everywhere,” the report reads. “Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We’ve observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door–no one wanted to prevent a clinician from obtaining emergency supplies because they didn’t remember the code. ”

However, monitoring tools are likely to miss the behavior. To properly understand it, the authors conclude, IT staff need to shadow medical staff and observe them doing their jobs.

“In hospital after hospital and clinic after clinic, we find users write down passwords everywhere.”

For the study, the researchers interviewed medical personnel including nurses, doctors and chief medical officers, as well as information technology staff and cyber security experts. They also compiled reports from medical discussion lists and other literature and shadowed many clinicians as they conducted their work. The research was funded in part by the National Science Foundation and the NSA.

[Read Security Ledger coverage of security issues facing healthcare organizations here.]

“Cyber security efforts in healthcare settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules,” the report said.

Competing priorities of clinical staff and management and information technology staff bear much of the blame. Specifically: IT staff are focused on securing healthcare environments and are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, a fellow at the Leonard David Institute of Healthcare Economics at the Wharton School of Business who was one of the authors of the report.

Those two, competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said.

One reason may be that IT staff rarely shadow clinical staff to understand the unique pressures or security conflicts inherent in their job. For example, nurses or physicians may be required to authenticate into a dozen or more separate systems in the course of a day, each with its own, strong password. Additionally, staff may need to switch off with their colleagues on a moment’s notice based on an acute clinical situation.

That makes it unavoidable that the clinician would have to write down his or her passwords and carry them around. The result: forests of sticky notes with different user names and passwords on them populate clinical environments.

“We find, in fact, that workarounds to cyber security are the norm, rather than the
exception,” the report concluded. “They not only go unpunished, they go unnoticed in most settings—and often are taught as correct practice.” Private companies may even get into the act.

Additionally, IT is often ignorant of- or turns a blind eye to the wholesale circumvention of security measures, chalking it up to recalcitrant and “clueless” users.

“IT lives in a world in which they think they’re addressing these problems, but they’re not because they’re not aware of the workflow of their users.” For their part, clinical staff often see IT workers and information security staff as hostile. The tension between the two groups only comes into relief when security breaks down entirely, resulting in the exposure of patient data or other adverse outcomes.

“Everybody believes in the need for security,” Koppel told Security Ledger. “But the way its implemented is seen as clunky and meaningless.”

“These are not terrorists or black hat hackers, but rather clinicians trying to use the computer system for conventional healthcare activities,” the report reads. “These ‘evaders’ acknowledge that effective security controls are, at some level, important—especially the case of an essential service, such as healthcare.”

This isn’t the first warning about lax information security practices at healthcare organizations. A study by the firm Independent Security Evaluators published in February of a dozen healthcare organizations across the United States found that they are ill prepared to fend off cyber attacks aimed at disrupting services or compromising patient health, despite – or possibly because of – an intense focus on protecting patient privacy.

Read the full report: “Workarounds to Computer Access in Healthcare Organizations: YOu want my password or a dead patient?”


  1. So, these nurses and other health care staff can remember enough information to pass their exams in college and their boards to become a nurse, but remembering their passwords overloads their brains to the point where they need to write everything down and leave a trail of sticky notes?

    • Well…most humans have trouble remembering long, random sequences of numbers, letters and special characters, which is what strong password policies would require. The alternative is easy to remember passwords, which are trivial to crack. Consider, also, that these professionals might have to “log into” scores of separate systems in the course of caring for patients in a clinical environment, not just a single laptop or desktop. So you can see the challenge they face.

      • @Paul – wildly off the mark. Passphrases can be easy to remember and not be random or overly complex. Any decent password policy will accommodate that.

        Then there are biometrics and other options.

        It is not the binary choice you present.

        • I think the issue is that the users are being presented with no choice plus a constant rotation of passwords. That plus the need to rapidly access terminals creates an untenable situation for workers. It is theoretically possible to create a passphrase that may be as good as a random password but most user-suggested or easy to remember ones are going to be readily crackable. IT departments are charged with ensuring passwords are strong so they’ll go with randomly generated ones.

          There are better options for identification (RFID or other smart badge + PIN, or biometric) but they haven’t made it into most hospital settings.

          Security is driven by at least three pressures or goals:
          1) Minimize risk.
          2) Minimize cost.
          3) Minimize effects on usability.

          By not addressing #3, security designers created perverse incentives that sabotage their ability to meet the first two goals.

          • I agree with your comment, especially when they require password changes often with new passwords mandated to not be same as any of the last 10. It would be a drag for even the most security conscious person.

  2. Pingback: Study finds Password Misuse in Hospitals a Steaming Hot Mess https:… | Dr. Roy Schestowitz (罗伊)

  3. Pingback: Links 6/28/16 | naked capitalism

  4. Pingback: Healthcare workers prioritize helping people over information security (disaster ensues) | danilnews

  5. This is simply more evidence that the password system is broken. Amazing that more people don’t acknowledge this. In modern life, every where we turn, we’re asked to create “strong,” unique passwords that look like “flzz6639#!!”. Think of how many of these passwords you have, sometimes for online sites you use once a year; I’ve got scores, and others probably have hundreds. Sometimes you’re asked to change these every several months, without repeating prior passwords. I maxxed out the digit span portion of the Wechsler, so I’m fairly decent at remembering strings of characters, but this is beyond absurd. I have stickies with passwords on my PC. IT security guys, wake up. The problem isn’t the meat running your software. Your system stinks. It needs a total rethink (biometrics, something yet to be imagined). Else you’re left with the paradox that your “security” is creating less security. I’m tired of seeing arrogant IT security guys blaming “stupid people” and their “stupid” choice of obvious passwords. Look, I program too. And I idiot-proof my software so it works even if the user doesn’t do what I think is obvious. The “stupid” choice of passwords — or “stupid” behavior (posting passwords all over) — tells you this password system just doesn’t work.

  6. As a former IT system designer myself, I remember all the pushback I used to get whenever I wanted to see how our users do their jobs. In general, we were intentionally prevented from having such access. We were supposed to go through channels with an array of designers and usually a specification expert, not a future user, at the other end of the pipeline. I’m not the only software developer to remark on this. The isolation is intentional.

    Given the availability of mobile devices with near field communications and fingerprint detectors, I’m surprised that this hasn’t been used to simplify things. Why not a small device worn on an armband that could detect removal and provide a fingerprint pad. You’d strap it on and log in at the start of one’s shift, and it would negotiate with the general level of gear you have to use. In cases where more security is required, for example, access to controlled substances, it might ask for another fingerprint push. Yes, someone could always make you press your finger if they had you at gunpoint, but that’s a whole different problem.

  7. Pingback: Passwords Under Pressure | Voice of the DBA