A scathing rebuke of medical professionals’ attitudes toward information security reveals nurses and doctors fumble over protocols often putting patients at risk.

The revealing study, “Workarounds to Computer Access in Healthcare Organizations (PDF),” offers a fascinating look behind the privacy curtains at hospitals. The study, sponsored by the University of Pennsylvania, Dartmouth College and the University of Southern California, connects the dots on poor security practices and how that can lead to bad patient care.

In one instance, outlined by the report, physicians ordered medications for the wrong patient because a computer was left on and the doctors didn’t realize it was open for a different patient.

But the report doesn’t just eviscerate clinicians’ attitudes toward security. It also blasts the hospital IT infrastructure where unwieldy hardware and unrealistic security protocols might be fodder to be lampooned in a Dilbert cartoon strip.

“The clinicians we studied were not ‘black hat’ hackers, but just professionals seeking to accomplish their work despite the security technologies and regulations,” wrote the authors of the report. Based on the premise, healthcare clinicians are some of the worst offenders when it comes to computer access workarounds the authors of the study decided to shadow them to better understand fundamental enterprise security challenges and access control pain points. The research included interviews with hundreds of medical workers, CTOs, IT admins and 19 cybersecurity experts.

The report confirms what other researchers have been warning about when it comes to hospital security. In a report released in February, Independent Security Evaluators concludes that hospitals desperately need to shore up their defenses and are vulnerable to attack. Earlier this year, the Los Angeles-based Hollywood Presbyterian Medical Center paid 40 Bitcoin ($17,000) to attackers who locked down access to the hospital’s electronic medical records using crypto-ransomware. Last August, the U.S. Food and Drug Administration recommended that hospitals stop using a medical device that it said was vulnerable to hackers.

Unlike the existential threats found by previous researchers, this study took a closer look at the threat from within. For starters, researchers found healthcare workers flummoxed by “irrational security rules” on things such as passwords. “With specific requirements and time limits, (passwords) are seen as an annoyance, not as a patient safety effort,” read the report.

Tech roadblocks for things such as passwords lead to rampant circumvention of computer authentication. Fussing with passwords “can force the physician to spend as long at the help desk resetting an expired password as he or she then spends treating patients,” according to researchers.

“We find users write down passwords everywhere. Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms… One vendor even distributed stickers touting “to write your username and password and post on your computer monitor,” according to the report.

More problematic is signing-off of computer systems. The authors of the report note, when a user’s computer session extends beyond the active need of the user, “it leaves the computer vulnerable to misuse by an unauthorized persons or to an authorized user who assumes he or she is entering information for a patient different than the one still logged-in on the screen.”

Why don’t clinicians log-out? The study spoke to one nurse who said during a 14-hour day, he estimated spending 1.5 hours logging-in to various systems. Login headaches, researchers say, create a culture where clinicians stay logged-in as a “professional courtesy” for the next clinician.

Nurses, the report revealed, would often circumvent the need to log-out of hospital computer systems by placing “sweaters or large signs with their names on them” or simply lowering laptop screens.

In the health care industry’s defense, the report found that medical workarounds existed because of unwieldly security protocols and cumbersome equipment.

“At a large city hospital, death certificates require the doctor’s digital thumbprint. However, only one of the doctors has thumbs that can be read by the digital reader. Consequently, only that one doctor signs all of the death certificates, no matter whose patient the deceased was,” according to the report.

The byproduct of a security system unwilling to be used by healthcare professionals creates second-tier “shadow systems” that include paper notes and patient crib sheets for helping doctors and nurses streamline analog communications. The report also highlights how procedure often doesn’t sync with real work needs. For example permission management dictating who can access what represents a huge hurdle. “On paper, it’s easy; in reality, it’s not,” says the report.

Permission problems crop up with high turnover of resident physicians who cycle through a hospital every 30 days. In one scenario, a resident may be barred from quick access to essential patient data. In another scenario, “a physician who focuses on infectious disease may also be on the committee that oversees medication errors, and thus requires access to the pharmacy IT system and the nurses’ medication administration system,” according to the report.

During its research, the report found healthcare security workarounds were not the exception, but rather the norm. Worse, on the occasion those security shortcuts were identified by management there were no consequences. “These common forms of ignorance, or willful blindness, or incomprehension allow organizations to continue to deploy security that doesn’t work,” wrote the authors.

Despite the bleak security picture, authors point out its well-intending people who have the edge over “the machines and the machine rule makers.” And that’s a good thing when it comes to analog patient care versus life-or-death decisions based on a laptop with a sweater draped over it in the nursing station.

Categories: Hacks, Privacy, Vulnerabilities, Web Security