Medicos could be world's best security bypassers, study finds Medicos are so adept at mitigating security controls that their bypassing exploits have become official policy, a university-backed study has revealed. The work finds that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts …
> Maybe a solution is to have separate terminals and requirements in different zones ...
You mean, like the people who design these systems actually go out and find out how the people who need to use them actually work ! And having done that, design systems (note plural) appropriate to each situation.
I think teh article could be summed up thus :
TL;DR - systems not designed with users in mind
Now, haven't we heard that one before ?
"You mean, like the people who design these systems actually go out and find out how the people who need to use them actually work !"
The problem is that whilst bypassing security might be excusable in ED, it's NOT excusable in standard clinical care environments and the problems are as much doctors being prima donnas as anything else.
The half hour (or more) inquiry of medical facts when you go into the hospital EVERY TIME since they can't be bothered to "look you up".
One time when visiting my dad in hospital, I was AMAZED at how much faxing they did. They would print out something and blast it off to somewhere. Weird to happen in the last decade!
Maybe they would be more accepting if you had a PDF of your (brief) history on a thumb drive and they accepted it as well, but that is another story.
Computers? I've heard of them...
So far most of the comments have been about identifying the right user. Turn this on its head - how does one stop the wrong users from accessing the computer? I know this sounds weird or nuts, but if fast access to the computers is so medically necessary, then (particularly in A&E) have a security person whose job it is to patrol the unlocked computers to solely look for non-medicos using them.
Hospitals are the perfect example of an area where computer systems as they are now completely fail. The problem isn't one that will be solved by having biometrics or key fobs (tokens) available because those ignore the issue.
The issue is that there is a large number of mobile workers (nurses, doctors, etc) that are moving around from room to room who need access to information immediately. Logging in and out of that rooms computer systems simple isn't feasible.
So, how do you fix it? You start by getting rid of logins. Having someone log out and log back into Windows or even the application that's running on the computer is dumb. A much better approach is to just RFID tag all the people in the hospital (doctors, nurses, patients, visitors) and have detectors in each of the rooms.
Change the applications so they don't require logins. Instead just record who was present in the room at the time anything happened. A medical record needs pulled up? System verifies that a medical professional is in a room and records who is there (including visitors) quietly, in the background. Someone needs that monitoring machine turned on? Is a medical pro in the room? yes, then do it and log who was present.
How do you give everyone an RFID tag? well, they already have badges. Even visitors should have a visitors badge.... If a doctor doesn't have their badge then they aren't on duty. Multiple RFID sensors in a given room would easily tell you exactly which room they are in.
That is quiet, unobtrusive and would absolutely go along with their workflow. They also wouldn't try to game the system.
Too risky for false positives, if you ask me. The problem here is that RFID is radio based, and most of the time radio detecting isn't very precise. There will be tons of badges floating through the halls, and the walls don't always shunt. They could pick up stray badges and end up with mistaken readings.
Another problem is that all this added radio transmission raises the risk of RF Interference, and medical equipment tends to be very sensitive which is why there were cell phone blackouts in the past in hospitals. RFID will mean raising the specter of more (and expensive) RFI testing. At least with current applications the badge readers are considered non-interfering because they only have a point-blank effective range.
"Another problem is that all this added radio transmission raises the risk of RF Interference, and medical equipment tends to be very sensitive which is why there were cell phone blackouts in the past in hospitals."
*Ahem*Bullshit*Ahem*
The sensitivity was to 10-20W walkie-talkies being keyed in close proximity to equipment. That got translated into edicts that ALL radio equipment was to be turned off, for the simple reason that it's easier to enforce such a rule than "Oh this is ok, but that's not" - not helped by initial analog bag phones being 3-5W, instead of the 300mW maximum transmit power allowed for phones these days (bearing in mind that they seldom actually transmit at 300mW, it's usually 10-15mW unless in radio fringe areas and frequently in urban cells it's down as low as 1-2mW)
The mobile phone ban got kept around for reasons of annoyance value, patient privacy and profiteering from pay/bedside phones, until OFCOM and the FCC stepped in to stomp on the latter.
Meantime, the actual cause of RF interference problems - high powered walkie talkies - kept on merrily being used the entire time by security staff without a thought given to the effects on equipment.
Last NHS system I worked on (a portal site that hooked into literally dozens of ancient creaky things and pulled all that data onto one screen - quite useful.) the login data was reviewed by an information governance person every month. Anything dodgy - same login used at two different locations at the same time, for example - and someone would get a polite call from IG to explain themselves. Mitigating circumstances, such as real life or death emergency would be taken into account. Seemed a reasonable common sense solution to me.
(Although in fairness, a relatively small health board and that app was by no means universal - maybe 700 users.)
There is a fundamental cultural problem with medicos (at least in the UK) in that they don't believe that their patients' medical data belongs to the patients despite the fact that the patients are paying the taxes and medical insurance that funds its collection. They therefore don't consider it worthy of protection. If you need proof, try reading "Guiding Principles for Data Linkage" from the Scottish government. Similar garbage is available from other UK healthcare organizations, the recent "care.data" debarcle being a case in point. So of course they don't understand that login credentials are important.
The medicos can counter that people pay taxes for the roads but don't personally own the roads. Similarly with hospitals. Taxes pay for the hospitals, but they don't OWN the hospitals or their data (which being the product of THEIR equipment and THEIR handiwork should legally belong to them, if not the government/crown under existing copyright statutes).
The medicos can counter that people pay taxes for the roads but don't personally own the roads.
However, the tax-paying public does have access to the roads they pay for. Similarly, here in Australia at least, the taxpaying public has access to tax-payer funded medical records under FOI. A friend who is a retired anaesthetist recently requested his records and was appalled at the many "mistakes" therein.
When Apple brought out the second generation iPads medics were screaming at IT Staff that they needed WiFi throughout the hospital to support their BYOD devices or Patients Would Die. This was of course drivel and made worse by the desire of medics to put sensitive patient data onto their own devices.
Using patient deaths as a stick to beat IT staff is standard. Having been a medical researcher before I became an IT bod I was able to tell them where to get off. Most IT Staff have neither the knowledge not the confidence to stand up to this blackmail.
On the other side of the coin, I've watched medical staff having to juggle light pen, mouse, bar code reader and keyboard just to request clinical chemistry tests. This is clearly down to poor requirements gathering as well as cynical provision from third party suppliers - the school of "Oh it will do". It should be clear when gathering requirements for IT systems (or doing that stupid Agile thing) that speed of access to the system and to patient data should be a priority and this can be quantified. There then needs to be the usual risk-based decision on how to achieve an appropriate trade off. People leave systems logged in as much because of ignorance of the risks as for instant access to data. The instant access and "patients will die" arguments are usually post hoc to justify bad behaviour.
If it's a real medical emergency no one in their right mind will be thinking of tapping at the keys on a computer instead of dealing with the emergency. Stat tests are usually achieved by planning ERs so that the laboratory is close to the ER and information/samples transferred by sneakernet. What's the point of having instant access to results if it takes significant time to get the samples to the lab? Who, in an emergency, has the time to carefully read through the patient's medical history? Which is why emergency procedures don't rely on going to look up "how to deal with an embolism" on Wikipedia, for example.
As far as I can tell there is no one focussed on providing secure rapid log in for use by emergency services. I know there's a need for this because I've worked on IT provision for emergency services and in control rooms as well as hospitals bad practice is common because it's faster than doing the right thing. Hence if something goes badly wrong it's often difficult to identify who did the wrong thing because of password sharing. This obviously suits the operators who like to feel they can't be held accountable.
Then I had the lightbulb moment. What situation do I find myself in where someone has to log into a system within seconds or bad consequences will happen? Yes that's right, in the pub! If the bar staff can't get into that electronic till within seconds they will be faced with the wrath of man denied beer. Therefore the tills are designed to permit near-instant log in using a token. Problem solved!
"Therefore the tills are designed to permit near-instant log in using a token."
Only one problem. Pub is a pretty small self-contained area. Everyone who would need access to the till is going to be within shouting distance, for their own good.
Hospital is a big building, multiple floors, where people may be in different places throughout their watch. And each of these have different duties and authorizations. IOW, whole other kettle of fish.
"Hospital is a big building, multiple floors, where people may be in different places throughout their watch. And each of these have different duties and authorizations. IOW, whole other kettle of fish."
Did you think this one through? The problem is access to individual terminals in a hurry if there's an emergency. The token solution is for anyone who has a need to access the system to have a token that grants them appropriate access. We have this concept of "a network" which means that wherever they are in the hospital they can walk up to a terminal, use their token and have exactly the same access as at any other terminal. No need for shouting.
It's really not a "whole other kettle of fish" from the pub problem, where there's a need to identify the user (bar staff) and give them appropriate access to the system, with (say) managers having different access rights to the barman. These rights aren't an inherent feature of the token, the token is simply ID. The rights are associated with that ID and follow the user around.
This isn't a perfect model for security, ideally access should be both token and password to reduce the number of improper accesses using a stolen/borrowed token. However there's a trade off for speed of access. At the moment we have no security if staff leave terminals open all day long. Use of tokens strikes a good compromise between ease of access and security.
"This isn't a perfect model for security, ideally access should be both token and password to reduce the number of improper accesses using a stolen/borrowed token. However there's a trade off for speed of access. At the moment we have no security if staff leave terminals open all day long. Use of tokens strikes a good compromise between ease of access and security."
Except the hospital has legal confidentiality obligations on penalty of fines, sanctions, maybe even jail time. Plus there are MULTIPLE networks in a hospital, not all of which connect to each other. PLUS there's the matter many hospitals are understaffed with tight budgets. And we're not even going into human error, potential sabotage, and Murphy. IOW, the real world intrudes on your setup, making any attempt to implement, quite simply, a mess. Otherwise, someone would've already implemented it, and probably won the Nobel Prize for Medicine for basically performing a miracle.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
