The Security Ledger

Study finds Password Misuse in Hospitals a Steaming Hot Mess

Physicians and other clinical staff routinely ignore or circumvent security measures, a study found.

In-brief: efforts by clinical staff to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff, according to a new report. 

Hospitals are pretty hygienic places – except when it comes to passwords, it seems. 

That’s the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff.

The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments – with the bad behavior being driven by necessity rather than malice.

“In hospital after hospital and clinic after clinic, we find users write down passwords everywhere,” the report reads. “Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We’ve observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door–no one wanted to prevent a clinician from obtaining emergency supplies because they didn’t remember the code. ”

However, monitoring tools are likely to miss the behavior. To properly understand it, the authors conclude, IT staff need to shadow medical staff and observe them doing their jobs.

“In hospital after hospital and clinic after clinic, we find users write down passwords everywhere.”

For the study, the researchers interviewed medical personnel including nurses, doctors and chief medical officers, as well as information technology staff and cyber security experts. They also compiled reports from medical discussion lists and other literature and shadowed many clinicians as they conducted their work. The research was funded in part by the National Science Foundation and the NSA.

[Read Security Ledger coverage of security issues facing healthcare organizations here.]

“Cyber security efforts in healthcare settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules,” the report said.

Competing priorities of clinical staff and management and information technology staff bear much of the blame. Specifically: IT staff are focused on securing healthcare environments and are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, a fellow at the Leonard David Institute of Healthcare Economics at the Wharton School of Business who was one of the authors of the report.

Those two, competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said.

One reason may be that IT staff rarely shadow clinical staff to understand the unique pressures or security conflicts inherent in their job. For example, nurses or physicians may be required to authenticate into a dozen or more separate systems in the course of a day, each with its own, strong password. Additionally, staff may need to switch off with their colleagues on a moment’s notice based on an acute clinical situation.

That makes it unavoidable that the clinician would have to write down his or her passwords and carry them around. The result: forests of sticky notes with different user names and passwords on them populate clinical environments.

“We find, in fact, that workarounds to cyber security are the norm, rather than the
exception,” the report concluded. “They not only go unpunished, they go unnoticed in most settings—and often are taught as correct practice.” Private companies may even get into the act.

Additionally, IT is often ignorant of- or turns a blind eye to the wholesale circumvention of security measures, chalking it up to recalcitrant and “clueless” users.

“IT lives in a world in which they think they’re addressing these problems, but they’re not because they’re not aware of the workflow of their users.” For their part, clinical staff often see IT workers and information security staff as hostile. The tension between the two groups only comes into relief when security breaks down entirely, resulting in the exposure of patient data or other adverse outcomes.

“Everybody believes in the need for security,” Koppel told Security Ledger. “But the way its implemented is seen as clunky and meaningless.”

“These are not terrorists or black hat hackers, but rather clinicians trying to use the computer system for conventional healthcare activities,” the report reads. “These ‘evaders’ acknowledge that effective security controls are, at some level, important—especially the case of an essential service, such as healthcare.”

This isn’t the first warning about lax information security practices at healthcare organizations. A study by the firm Independent Security Evaluators published in February of a dozen healthcare organizations across the United States found that they are ill prepared to fend off cyber attacks aimed at disrupting services or compromising patient health, despite – or possibly because of – an intense focus on protecting patient privacy.

Read the full report: “Workarounds to Computer Access in Healthcare Organizations: YOu want my password or a dead patient?”

Spread the word!