Medical staff routinely ignore IT security to do their jobs

Bad cyber-security gets in the way of healthcare
Bad cyber-security gets in the way of healthcare

Medical staff use so many workarounds to best practices in IT security that the vast majority go unnoticed, according to new research.

In a research paper entitled Workarounds to Computer Access in Healthcare Organisations: You Want My Password or a Dead Patient?, IT security workarounds are normal practice for most medical staff.

“Workarounds to computer access in healthcare are sufficiently common that they often go unnoticed. Clinicians focus on patient care, not cyber-security,” said Sean Smith and Vijay Kothari of Dartmouth College, Ross Koppela of the University of Pennsylvania and Jim Blythe of the University of Southern California.

“Cyber-security efforts in healthcare settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules. These are not terrorists or black hat hackers, but rather clinicians trying to use the computer system for conventional healthcare activities,” said the authors.

The researchers said that medical staff “acknowledge that effective security controls are, at some level, important.”

They said that without such tools, the enterprise cannot protect against adversarial cyber action.

“Unfortunately, all too often, with these tools, clinicians cannot do their job – and the medical mission trumps the security mission.”

Among the workarounds medical staff employ are sharing passwords with others so that they can read the same patients' charts even though they might have access in common. In one instance, a hospital technician used a physician's PIN code to create fake reports for patients.

The researchers found that standard accepted practices for strong password hygiene can be non-existent in healthcare and in one case, a medical informatics officer lamented that “routine password expiry… forces everyone to write down their password.”

The authors said that clinicians in one hospital defeated proximity sensor-based timeouts by putting Styrofoam cups over the detectors, and at another hospital the most junior person on a medical team was expected to keep pressing the spacebar on everyone's keyboard to prevent timeouts.

According to researchers, the problem sits with IT security staff who “did not sufficiently consider the actual clinical workflow”.

“In rare exceptions, when the workarounds become obvious to leaders – such as a security breach involving a patient's record – there may be repercussions. These common forms of ignorance, or wilful blindness, or incomprehension allow organisations to continue to deploy security that doesn't work,” the report said.

Carl Herberger, vice president of security solutions at Radware, told SCMagazineUK.com that the healthcare industry has long lagged behind in investing in security talent, architecture and tools and as a result had an imbalanced set of protections with a focus on simple authentication techniques.

“The truth is that transparent high security is the achievement of brilliant design, architecture and talent and something that the healthcare industry can achieve, but not without disruptive changes to business operations and processes. Healthcare's current woes are a direct result of years of under-selling investments in security,” he said.

Tony Pepper, CEO at Egress, told SC that infosecurity solutions need to provide healthcare organisations and professionals with ways of protecting data to the highest industry and government standards, without compromising or interrupting the ways in which they work.

“Technology needs to integrate seamlessly into existing practices and it needs to be easy to use. Additionally, wherever possible, security decisions need to be taken away from individuals to minimise the disruption to workflow,” he said.