back to article Medicos could be world's best security bypassers, study finds

Medicos are so adept at mitigating security controls that their bypassing exploits have become official policy, a university-backed study has revealed. The work finds that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts …

Silver badge

So a dilemma.

The IT people are trying to avoid violating patient confidentiality laws. Furthermore, they're also trying to avoid getting critical medical equipment hacked, which means for them lives are at stake.

But at the same time, actual medical personnel need to be able to call up critical information on a moment's notice, especially in Emergency Room situations, which means for them lives are at stake.

So security is running smack into ease of use, and this time BOTH have a legitimate, "lives are at stake" justification, so a compromise is not acceptable. What's needed is a spectrum-breaker: something that is actually BOTH very secure AND dead easy to use at the same time.

7
0
Silver badge

Re: So a dilemma.

>So security is running smack into ease of use

Security always comes at the expense of everything else. The key is getting the balance right.

3
0
Silver badge

Re: So a dilemma.

But in this case the expense is too great: the expense is lives, which for medicos is too great a price since they're under incredible (and usually legal) pressure to save those lives. A third option is therefore needed.

Put it this way. Balance isn't possible because BOTH ends are so heavy the beam is bending to the point of snapping. It's like the right vs. fast problem. You can't just do it right because going too slow means people DIE, and you can't just do it fast because doing it wrong means people DIE. Medicos have to get it RIGHT AND FAST at the same time. Which means you need a SIMPLE AND SECURE at the same time solution. Otherwise, people DIE and there will be cries to get something done, toot sweet. Until someone can formally PROVE this to be impossible, the argument will never end.

4
1
Silver badge

Re: So a dilemma.

"But in this case the expense is too great: the expense is lives"

It's not. Really it isn't. Almost never. For routine medicine you can always wait a couple of seconds, and in most emergency cases you *treat what you see in front of you* not what some computer says. If there's blood spurting out I don't care that you had depression at University I want to stop the bleeding.

It's only a few oddball cases, including severe allergic reactions, that make the news where the information is relevant and for those a physical bracelet, card or pendant is much easier and harder to abuse.

3
5
Silver badge

Re: So a dilemma.

"It's only a few oddball cases, including severe allergic reactions, that make the news where the information is relevant and for those a physical bracelet, card or pendant is much easier and harder to abuse."

It's those oddballs that are the ones that give rise to malpractice suits, especially for those with UNDETECTED or UNREPORTED allergies or reactions. Plus, as noted, emergency rooms are BOTH prone to hacking AND in need of very quick turnaround (each for the same reasons). So again, you need BOTH fast AND right.

3
4
Silver badge

Re: So a dilemma.

"especially for those with UNDETECTED or UNREPORTED allergies or reactions"

How do these undetected conditions get onto the computer? Is artificial omnipresence a thing?

10
0
Silver badge

Re: So a dilemma.

...and in most emergency cases you *treat what you see in front of you* not what some computer says. ... It's only a few oddball cases, including severe allergic reactions, that make the news where the information is relevant...

If there's blood spurting out, you may need x-rays (or other scans) from a networked computer to identify internal damage that's the root cause of the spurting; patient information to identify (as you said) medical allergies that might make prompt doses of some antibiotics around the wound lethal to the patient; and so on. Eyeballs aren't always enough to make emergency medical decisions.

3
2

Re: So a dilemma.

"For routine medicine you can always wait a couple of seconds, and in most emergency cases you *treat what you see in front of you* not what some computer says."

"A couple of seconds"? More like "Server down today, try again tomorrow." Need to look at an X-ray or some blood tests? Better just "treat what you see in front of you." Do most of the IT boondoggles I deal with increase the risk of death? Probably not. Increased risk of serious harm through delays in correct treatment, plus more pain and distress for the patient? Oh yes.

0
0

Re: So a dilemma.

Actually, it might be. The fastest I've seen a user-switch on a real NHS computer is about 45 seconds. I've seen it take as long as three minutes. In a busy ED with maybe 6-8 computers shared by 8-10 doctors and the same or more in nurses, plus all of the specialty teams coming and going through the unit. That's an aweful lot of time being wasted switching users. I personally do my best to avoid using another person's account, but during an emergency sometimes there just isn't time to mess around.

2
0
Silver badge

Re: So a dilemma.

The problem isn't poor security practice. It's going about it the wrong way.

Put the authentication into staff ID cards, they're not allowed to wander around without them - yes the same cards that are used to open doors, etc.

If you need to cross-authenticate then add a fingerprint scanner. if someone's got a card and a fake (or dead) finger then you have bigger worries than IT security.

As for slow changeovers - that IS a problem. Fix it. Tablets and Wifi are cheap enough that shared computers should be the exception rather than the norm anyway.

3
0
Silver badge

Re: So a dilemma.

"Server down today, try again tomorrow."

How do you fix a dead server by sharing passwords?

Really does sound like the NHS needs some competent IT people so you don't have unplanned downtime. Like every other organisation does for its business critical services.

0
2

Re: So a dilemma.

"It's not. Really it isn't. Almost never. ..."

Clearly you've never been at the sharp end. There are several problems that all intersect and collectively they can kill patients that aren't even critical. First and foremost, staffing is inevitably affected adversely by computerization - ward clerks? Licensed vocational nurses? Who needs them, we have computers now! The typical hospital administration loves "paperless," low staff, nursing and doctoring. I know of one "healthcare" provider whose administrative board includes ONE doctor, who has no veto just because chairman - well trained in ***Hospitality (Hotel) Management*** (really) wants to hire - this a true story - people with a Disneyland staff attitude. Skill is not important. Really, its not. SMILE WIDELY and get out the iPad - "Oh, I am SO sorry. You are going to die??? I hope you had a nice stay!!! Can you fill out a customer satisfaction survey before you die???" - CONTINUE SMILING. The food was what??? I can't write that down!!!! What's that? you have resistant staph and that's what's killing you? You don't think much of the isolation practices??? What are those??? I am only trying to find out if you liked your stay ma'am. So you didn't?"

Then there are interfaces. I know of one "healthcare system" that bought accounting software which some idiot convinced the administration could be "retasked easily" to handle health care records. (Why do these lab values have dollar signs?) The "ease" was a dillusion and the end result is an on-going catastrophe. Then of course there is the Windows problem - hospital staff do not have TIME to waste learning new interfaces every time some knuckle head thinks they can make the screen look "better." There are many horror stories about computers in hospitals and very few good ones. Every second staff spend doing computer work (or paper work to be fair) is time the patient doesn't benefit from. Every time a staff member accidentally clicks the wrong square in some "form" and doesn't catch it because they are also being paged overhead and via the phone for a code [whatever] is a time some coder's poor understanding of how things work in a hospital could kill someone, even someone who shouldn't have a problem. And, very much more to the point, healthy people don't go to the hospital! The case are OFTEN "odd ball."

1
0

Re: So a dilemma.

"Server down today, try again tomorrow."

"How do you fix a dead server by sharing passwords?"

By trying a different server to which I don't have access because I'm not supposed to need access. I can request a password for that server of course (with the request countersigned by my line manager and my line manager's line manager) which will almost certainly be rejected by someone who won't read / won't believe the reason I give for needing it and with the usual response time of twenty working days.

0
0

Probably worse than you can imagine

Hospitals are always so short-staffed they can't even keep their records up to date or even refile them so doctors can see their patient's records. I've temped in several hospitals for this reason. One hospital had a decades-old mainframe terminal system which required an employee's badge to be inserted to function. Very nice, right? Would tell you who accessed what and when. Well, every one of these terminals, throughout the bld had a blank badge left stuck in it at all times since doctors were always losing their badges and they didn't want to make ones for the temps. When I got bored entering location codes for files, I could look up people I knew and see what they'd been in for and when along with all their personal identification.

1
1
Silver badge
Unhappy

Re: Probably worse than you can imagine

Nothing about hospitals surprises me any more. I just had a cardiac resynchronisation/defibrillator installed. The anaesthetising nurse forgot to top up the anaesthetic so when the surgeon made the inisions and installed the device I felt everything! Post op I was offered panadol osteo (paracetamol) for pain relief and ended up having a shouting match with a nurse who told me it was illegal to take my regular meds, such as ivabradine prescribed by my cardiologist. The reason given was that the hospital pharmacist had never heard of ivabradine and anyway they don't approve of over-the-counter herbal medicines.

Security? I'd be surprised if the managed to find their own arse with both hands.

4
4
Anonymous Coward

Re: Probably worse than you can imagine

Some of these comments seem specific to either the US or the UK.

Here where I'm currently working we haven't got a huge "sue" culture and we haven't got constant medical staff shortages.

We do get some staff trying to work around security and sometimes IT is over-ruled. I thought this was a big problem but compared to what I'm reading here it's nothing at all!

EDIT: I think Neil below has locked on to what we do.

0
0
Silver badge

Re: Probably worse than you can imagine

"Well, every one of these terminals, throughout the bld had a blank badge left stuck in it at all times "

Shouldn't be happening.

"since doctors were always losing their badges and they didn't want to make ones for the temps. "

It's a legal _requirement_ in the UK that patients can see the photoID of whoever's treating them.

Doctors who forget their badges won't do it if it hits them in the wallet.

0
2

Re: Probably worse than you can imagine

The fact that a photo-id is a "legal requirement" doesn't make it a smart policy that does anything beneficial. It simply makes it a policy. Besides which, anyone with a decent image editor can counterfit the badges adequately to fool the Mk 1 eyeball. Ah - you say - but the card has to be passed through a reader and that can't be fooled. True, but seven people at a door, one passes their legitimate card and all seven including the ringer pass the door. Maybe we need embedded chips? No sweat. The code can be grabbed by several different kinds of skimmers and added to a card. Does the chip have to match the image? Not really if it is all machine checked. Is that really better security, or merely an illusion that some bean-counting "security" type ignorant of the actual demands in a hospital finds comforting? The only way to clue someone in to hospital security needs and true weaknesses is to get them out in the floor answering calls, changing bed pans, and watching sheet covered forms being moved down the hall to the elevator - destined for the morgue.

0
0
Devil

Yeah, we're secure...

But the patient's dead...

There was this book written in the aftermath of WWII that pretty much details the conflict between reality, policy and management. I'm reminded of it every day...

"Catch 22"

6
0
Anonymous Coward

Re: Yeah, we're secure...

The answer is always the syndicate. Even in the "good" wars there are always plenty of 1%ers turning blood into gold.

0
0

The fact that some security is based on "Best Practice" or "Industry Standard" is what winds me up. It's not based on "What we can observe and measure in the real world" but rather on "sufficient documentation exists to support this practice that no one will hold the security people accountable for problems if we implement these policies".

You must have a complex password, change it every 60 days, not reuse it - these are my favourites. Teach the user base how to generate pattern passwords that meet the rules and problem solved (from the users' perspectives)

4
0
Silver badge

"You must have a complex password, change it every 60 days, not reuse it - these are my favourites. Teach the user base how to generate pattern passwords that meet the rules and problem solved (from the users' perspectives)"

No, because some people have REALLY BAD recall:

"Now, was that CorrectHorseBatteryStaple or Engine+Paperclip+Donkey+Wrong?"

THAT kind of bad, which I see all the time. Medicos are caught between Scylla and Charybdis except they're not allows to sacrifice anyone. They need it RIGHT AND FAST, SECURE AND SIMPLE all at once, or people DIE and their survivors complain.

4
3
Silver badge

For Pete's sake

Every cash register in pretty much every pub in the country has a token login based on a physical widget attached to the operator with a bit of string.

It's not a difficult concept.

Make the same widget responsible for opening doors and doctors won't be able to lend theirs to others.

Of *course* doctors aren't going to sit down and remember passwords for a dozen different systems; they're busy doing doctor things. Security per se is something that gets in their way and like any other human they'll do their best to avoid it. But an ID card in a slot not only provides access to systems but provides an automatic logout. Sure, it's not as secure as a widget *and* a password, but how secure is it now? The primary driver here is access to the records of the patient the doctor is treating *now*.

16
1
Silver badge

Re: For Pete's sake

You know the problem with keys? People keep LOSING them! Lanyards break, keys get caught in things, next thing you know it's vanished without trace or knowledge of how it happened. And trying to correct for these wastes time which is unacceptable in a medical area because time means LIVES.

4
5
Unhappy

Re: For Pete's sake

While I understand the theory, practice is often different. Cards DO fail, not good when you are one side of a door and doctor is the other. Never mind maybe someone will help them through, shame about your notes though. Still a replacement card should be available in 1~4 working days. Dangling gizmo things look so trendy in infection control areas. Proximity devices can be useful until they get lost, dropped, left in another jacket or so on. Sadly, one size fits all does not fit all and even more sadly not only are all people not the same neither are their jobs the same either. Not even everyone in the hospital has the same skill set or job description. There is still a lot wrong with the management and control of most hospitals but treating all roles with the same pat 'treatment' is not the answer. Human and job role factors must be considered. Should task and access 'tokens' ever leave the site or should the site have improved methods of issue and management?

Too many questions for those outside to have a hope of answering, too many questions for those on the inside to have time to generate easy answers.

I use a proximity fob system at home so I am well aware that they can be useful, I used a card system at work, so I am also painfully aware of failure rates.

4
0
Anonymous Coward

Re: For Pete's sake

I work in a site where you can't enter if you don't have your badge. I can't enter my office without the badge, nor I can eat at the canteen. If you forget it, the reception will issue you a temporary one on the spot after checking who you are.

You quickly learn how to ensure you always have your badge with you. After all people also take care of their car keys, or they may not be able to get back home. AFAIK medical personnel working where radiations are present must carry a dosimeter.

If needed, plant a chip under the medical personnel skin.... <G>

8
1
Silver badge

Re: For Pete's sake

"You quickly learn how to ensure you always have your badge with you. After all people also take care of their car keys, or they may not be able to get back home. AFAIK medical personnel working where radiations are present must carry a dosimeter."

And YOU just as quickly how often people STILL leave the damn things behind, skipping lunch and going hungry, requiring a cab or a ride or a locksmith, or simply walking home in the pouring rain. This IN SPITE of every precaution. Plus, losing access to critical information just when a Code Blue hits is NOT GOOD.

PS. I think they found that when it came to appendages that are used quite often, like the arms, hands, and digits, they found yet another dilemma. A tough installation can't read half the time, and a realiably-readable one tended to break too often. Again, waiting for a replacement in an environment where time is critical is a no-go.

2
1
Anonymous Coward

Re: For Pete's sake

First up, most hospitals I know of have to have id on them at all times. If you are letting people in without ID, even staff, you've got bigger issues.

"Still a replacement card should be available in 1~4 working days.", really. There is no reason why something as big as a hospital (which I presume has security staff), could not have multiple card printers. We have 4 readers and can get a card to someone in next to no time.

5
1
Silver badge

Re: For Pete's sake

That hospital must have a good budget, then. Experience tells me your experience is the exception, not the norm.

2
1

Re: For Pete's sake @Charles 9

So couldn't there be spares? Could not the hospital employ someone who rather than constantly pushing a space bar, issues out a re-placemnet, you could go even further and have them put a stop on the lost token.

0
1
Silver badge

Re: For Pete's sake

"Make the same widget responsible for opening doors and doctors won't be able to lend theirs to others."

This here is what's wrong with all too many IT departments.

If a user fails to adhere to a procedure, the answer isn't to find a way to force them. The answer is to find a better procedure that works with their workflow/constraints/failings.

4
0
Silver badge

Re: For Pete's sake @Charles 9

Spares can get stolen.

Replacements have to be verified.

The point is not that it costs manpower but that it costs time, which depending on what part of the hospital you're in can be quite precious (that's why I always note the Emergency Room, one place where time pressure is frequent).

1
2
Silver badge

Re: For Pete's sake

@Neil Barnes

We have those. Got one hanging on my neck right now - an NHS care Identity service "smart Card"

Those machines in pubs can switch users a hell of a lot faster than an NHS app though.

This line in the article really summed it up for me:

""The problem is the … chief information, technology, and medical informatics officers … did not sufficiently consider the actual clinical workflow," the team says."

2
0

Re: For Pete's sake

Nice idea, the problem is that NHS IT is a mess. A total mess. It's not a case of just logging into a workstation, it's a case of logging into anything from three to fifteen different clinical information systems depending on the specialty. Many of those are "web based" (usually tied to an ancient version of Internet Expolorer complete with obsolete ActiveX controls) and require separate passwords. They all have different password requirements and different password expiry lengths. The ubiquitous smart card is a great way to STEAL passwords, by having the smart card in situ then inviting a colleague to log in to something, the password management software will happily (and often silently) record their credentials. Genius! Probably the most secure approach to hospital computer systems I've seen is to have everything in virtual Windows instances in a server farm with the workstations purely acting as host displays, with a smart card or other token to reconnect to each user's desktop. It's fast, pretty secure and very convenient, but also very expensive.

1
0

Re: For Pete's sake @Charles 9

Spares can get stolen.

Replacements have to be verified.

The point is not that it costs manpower but that it costs time, which depending on what part of the hospital you're in can be quite precious (that's why I always note the Emergency Room, one place where time pressure is frequent).

Well yes it cost tiume but is it quicker and does it work better?

Here rough process.

Doc turns up to hospital, has not got rfid / token thingy. Goes to designated person. Says has forgotten/ lost current one. They de-activate it, issue a temporary one. Doc starts work.

Yeah sure there is time lost, but it's caused by the doctor forgetting an item, it's going to happen. Everything that takes some security costs some time when it is needed, it's lessening the time while still being pratical and secure that seems to be the issue.

0
1
Silver badge

Re: For Pete's sake

"Probably the most secure approach to hospital computer systems I've seen is to have everything in virtual Windows instances in a server farm with the workstations purely acting as host displays,"

Doable cheap and NOT particularly expensive if you do it using linux desktops.

As a bonus, it's harder for the lusers to be tricked into installing malware (NHS firewalls are routinely bypassed and even the ones which aren't have more holes in them than a swiss cheese)

0
0
Silver badge

Re: For Pete's sake @Charles 9

"Goes to designated person."

There's your problem. There's no budget for "the designated person".

1
0

Re: For Pete's sake @Charles 9

"Goes to designated person."

There's your problem. There's no budget for "the designated person".

You mean there's no IT staff in the hospital at all? That's your problem there I reckon, no secretary either who could be trained to run a simple program, my oh my no wonder hospitals are so rushed.

Keys get lost, tokens get lost, cards get lost. Passwords get forgotten.

Whats the solution leave it all open all the time? everything else apart from the mentioned dermal implants, I know people can lose their arms, hits the human factor.

1
0

Re: For Pete's sake

More to the point the key can be stolen. And, I have seen a key card snagged in an elevator door, ripped off the lanyard and fall down into the crack between the elevator and the shaft. Now there is a security issue, a legitimate card at the bottom of the elevator shaft - where it might be stolen by some nefarious and underpaid mechanic and sold to some no-good-nik. The "security" response was to close down both the elevators sharing that shaft to recover the card. That created a traffic jam at the next elevator down the hall, blocked responses to codes and created a gruesome tangle of visitors, patients, and staff, and likely lead to who knows how many unnecessary resistant staph infections. Medical people are often trained to think in terms of triage. In that approach, "security" will inevitably be last.

0
0

Re: For Pete's sake

You are talking about hospitals, staff are reduced because, well hospitals never make money anyway, so companies hire "hospitality management" administrators with a mission direction to reduce costs at all costs. Their understanding of medicine is limited to patients are frequently unhappy and so are their families. "Why did my dad have to wait so long for someone to help him with the bed pan?" What do?

They only hire minimum staff based on an assumption of minimum bed occupancy. Population rises, call in temps - but, temps and security badges - hmmm, maybe some sort of temporary badge, disposable perhaps? Temps need to complete (electronic) charting, meaning they need access to confidential patient records, but aren't issued passwords - "use mine" says the one full-time nurse. But that's bad practice!! Well yes, but there are now two nurses on the floor with 30 patients, and the full time nurse doesn't have time to access records for her patients AND the temp's.

I have never met a computer security staffer dealing with medical records in a hospital that understood that the issue is patients - they need to be cared for and the floor is, except for the odd blue moon day, always understaffed. Their directions on implementing security come from a management that is a complete stranger to actual health care, except occasionally for the one token doctor on the board who might not be, and would be outvoted if it comes down to bonuses or patient well being.

0
0

Re: For Pete's sake @Charles 9

Triggerfish - Hospitals do not make money, but they are generally owned by companies that are only putatively non-profit. So, for parent companies hospitals are cost centers that lower the bottom line. So, reduce staffing. Staff for minimum occupancy, reduce support staff or eliminate it altogether, hire one guy to handle IT or better yet outsource it to India and don't provide any documentation to the IT people anyway. Written originally for a mainframe in the '80s, not even for a hospital. Well - you're IT. We have confidence in you. What's source code? Why do you need it?

0
0
Silver badge

Re: For Pete's sake @Charles 9

"You mean there's no IT staff in the hospital at all? That's your problem there I reckon, no secretary either who could be trained to run a simple program, my oh my no wonder hospitals are so rushed."

Hate to say it, but...that's exactly the issue! No solution can hire additional people because there's no budget for it. You MUST use existing people or it'll never make the budget. In a hospital, security plays third fiddle (to saving lives and cutting costs) and there's no way you're going to change this in the medical culture. The first priority is sacrosanct due to the Oath of Hippocrates while the second priority is imposed by the men up top.

0
0
Silver badge
Trollface

Keys get lost, cards get re-used indefinitely, passwords are a joke

So there is only one solution : neck collars. Personnel gets to the hospital, is intercepted by security team, gets wrestled to the ground and officer slaps neck collar on. Personnel is then free to go wherever and touch whatever computer, the neck collar automatically grants access. Collar stays on until personnel contract is terminated, HR in charge of retrieving it when processing the departure.

For bonus points, make the collar a nice one, so that the ladies actually don't mind wearing it and the men look more manly with it.

1
0
Silver badge

Re: Keys get lost, cards get re-used indefinitely, passwords are a joke

Next thing you know, you collar someone with very sensitive skin and they develop a rash...

1
1

Now you know ...

... why doctors' writing is almost impossible to decipher.

0
0
Silver badge

Real world

Even in ordinary environments password security can put people under that little bit of extra pressure. Mostly it makes no difference, it's just one of those things that have to be done.

The more pressure there is the more problematic it can become.

Sit in a school staffroom at 08:20 and you'll see password sharing, As in, " Oh God it made me change my password yesterday - What the hell was it? X ( insert name) what's your password, I need to print off...... etc....."

Move that into an overstretched hospital department with patients on trolleys and ambulances queuing outside and it isn't surprising if they don't even bother to keep passwords.

It's not just emergencies, it's time pressure. If it takes an extra half minute per patient to change mental gear, ( especially if tired or rushing), recall and enter the password then by the end of the clinical day enough time for a number of slots have been used to type passwords - and that's assuming it works well, there's no need to retype the password and they don't get locked out.

1
0
Anonymous Coward

Medics aren't without intellect

When I was a working hospital doctor, I'd always put speed of patient care before IG. So did the managers. Targets to meet for treatment times were prioritised over sensible IG features such as single sign-on across all the [disparate] clinical systems - PAS, RIS, PACS, Path, Order-comms etc.

I even wrote a bit of code to 'move' the mouse pointer evry so often [co-incidentally just less than the time-out setting for the log-in!

2
0

Biometric systems

seem to be the answer here, something you can't lose. Ok, there are different security implications but getting rid of the tag/card that you can lose/mislay is a big plus.

0
1

Re: Biometric systems

What biometric? Hands in gloves, covered in blood and other fluids, maybe mask on, face shield.

Maybe a solution is to have separate terminals and requirements in different zones, so terminals more open to "outside" use need more security than one in a clinical area where access is more restricted. You can also change what can be done so in areas like emergency treatment where getting info is more important that changing it make terminal read-only or limit what can be changed without additional authentication.

2
0
Silver badge

Re: Biometric systems

Problem is, sometimes the requirements CLASH. For example, as you say, the Emergency Room. Problem here is that, due to the environment, it's a pretty open area with lots of people roaming around. This makes it a prime target for infiltrating in the midst of the chaos. BUT emergency personnel ALSO need timely access to patient information in order to keep triage and treatments moving quickly because, well, you're dealing with emergencies here.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018