Menu Close

Hospitals are pretty hygienic places — except when it comes to passwords.

That’s the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff.

The researchers interviewed medical personnel in their workplace settings–nurses, doctors, chief medical officers, chief medical information officers, cybersecurity experts, CIOs, IT workers, everyday users, and managers–to obtain their perceptions of computer security rules. They collected reports from medical discussion lists and other literature. In addition, they shadowed many clinicians as they conducted their work.

The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments — with the bad behavior being driven by necessity rather than malice.

And this is certainly not good news for payers of health care services such as workers’ compensation claim administrators. Identity theft is a centerpiece of health care fraud schemes. The health/medical sector has accounted for the highest percent (42.5% in 2014) of total hackings of any industry, according to the Identity Theft Resource Center.

“Cyber security efforts in healthcare settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules. These are not terrorists or black hat hackers, but rather clinicians trying to use the computer system for conventional healthcare activities. These “evaders” acknowledge that effective security controls are, at some level, important – especially the case of an essential service, such as healthcare. As we observed, earlier, without such tools, the enterprise cannot protect against adversarial cyber action. Unfortunately, all too often, with these tools, clinicians cannot do their job – and the medical mission trumps the security mission.”

“In hospital after hospital and clinic after clinic, we find users write down passwords everywhere,” the report reads. “Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We’ve observed entire hospital units share a password to a medical device, where the password is taped onto the device.”

“We found emergency room supply rooms with locked doors where the lock code was written on the door — no one wanted to prevent a clinician from obtaining emergency supplies because they didn’t remember the code.”

“We find, in fact, that workarounds to cyber security are the norm, rather than the exception. They not only go unpunished, they go unnoticed in most settings – and often are taught as correct practice. In rare exceptions, when the workarounds become obvious to leaders – such as a security breach involving a patient’s record – there may be repercussions. These common forms of ignorance, or willful blindness, or incomprehension allow organizations to continue to deploy security that doesn’t work.”

Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data.

Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said.