back to article Medicos could be world's best security bypassers, study finds

Medicos are so adept at mitigating security controls that their bypassing exploits have become official policy, a university-backed study has revealed. The work finds that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts …

  1. Charles 9

    So a dilemma.

    The IT people are trying to avoid violating patient confidentiality laws. Furthermore, they're also trying to avoid getting critical medical equipment hacked, which means for them lives are at stake.

    But at the same time, actual medical personnel need to be able to call up critical information on a moment's notice, especially in Emergency Room situations, which means for them lives are at stake.

    So security is running smack into ease of use, and this time BOTH have a legitimate, "lives are at stake" justification, so a compromise is not acceptable. What's needed is a spectrum-breaker: something that is actually BOTH very secure AND dead easy to use at the same time.

    1. asdf

      Re: So a dilemma.

      >So security is running smack into ease of use

      Security always comes at the expense of everything else. The key is getting the balance right.

      1. Charles 9

        Re: So a dilemma.

        But in this case the expense is too great: the expense is lives, which for medicos is too great a price since they're under incredible (and usually legal) pressure to save those lives. A third option is therefore needed.

        Put it this way. Balance isn't possible because BOTH ends are so heavy the beam is bending to the point of snapping. It's like the right vs. fast problem. You can't just do it right because going too slow means people DIE, and you can't just do it fast because doing it wrong means people DIE. Medicos have to get it RIGHT AND FAST at the same time. Which means you need a SIMPLE AND SECURE at the same time solution. Otherwise, people DIE and there will be cries to get something done, toot sweet. Until someone can formally PROVE this to be impossible, the argument will never end.

        1. Adam 52 Silver badge

          Re: So a dilemma.

          "But in this case the expense is too great: the expense is lives"

          It's not. Really it isn't. Almost never. For routine medicine you can always wait a couple of seconds, and in most emergency cases you *treat what you see in front of you* not what some computer says. If there's blood spurting out I don't care that you had depression at University I want to stop the bleeding.

          It's only a few oddball cases, including severe allergic reactions, that make the news where the information is relevant and for those a physical bracelet, card or pendant is much easier and harder to abuse.

          1. Charles 9

            Re: So a dilemma.

            "It's only a few oddball cases, including severe allergic reactions, that make the news where the information is relevant and for those a physical bracelet, card or pendant is much easier and harder to abuse."

            It's those oddballs that are the ones that give rise to malpractice suits, especially for those with UNDETECTED or UNREPORTED allergies or reactions. Plus, as noted, emergency rooms are BOTH prone to hacking AND in need of very quick turnaround (each for the same reasons). So again, you need BOTH fast AND right.

            1. Adam 52 Silver badge

              Re: So a dilemma.

              "especially for those with UNDETECTED or UNREPORTED allergies or reactions"

              How do these undetected conditions get onto the computer? Is artificial omnipresence a thing?

          2. cray74

            Re: So a dilemma.

            ...and in most emergency cases you *treat what you see in front of you* not what some computer says. ... It's only a few oddball cases, including severe allergic reactions, that make the news where the information is relevant...

            If there's blood spurting out, you may need x-rays (or other scans) from a networked computer to identify internal damage that's the root cause of the spurting; patient information to identify (as you said) medical allergies that might make prompt doses of some antibiotics around the wound lethal to the patient; and so on. Eyeballs aren't always enough to make emergency medical decisions.

          3. Sam Haine

            Re: So a dilemma.

            "For routine medicine you can always wait a couple of seconds, and in most emergency cases you *treat what you see in front of you* not what some computer says."

            "A couple of seconds"? More like "Server down today, try again tomorrow." Need to look at an X-ray or some blood tests? Better just "treat what you see in front of you." Do most of the IT boondoggles I deal with increase the risk of death? Probably not. Increased risk of serious harm through delays in correct treatment, plus more pain and distress for the patient? Oh yes.

            1. Adam 52 Silver badge

              Re: So a dilemma.

              "Server down today, try again tomorrow."

              How do you fix a dead server by sharing passwords?

              Really does sound like the NHS needs some competent IT people so you don't have unplanned downtime. Like every other organisation does for its business critical services.

              1. Sam Haine

                Re: So a dilemma.

                "Server down today, try again tomorrow."

                "How do you fix a dead server by sharing passwords?"

                By trying a different server to which I don't have access because I'm not supposed to need access. I can request a password for that server of course (with the request countersigned by my line manager and my line manager's line manager) which will almost certainly be rejected by someone who won't read / won't believe the reason I give for needing it and with the usual response time of twenty working days.

          4. lpcollier

            Re: So a dilemma.

            Actually, it might be. The fastest I've seen a user-switch on a real NHS computer is about 45 seconds. I've seen it take as long as three minutes. In a busy ED with maybe 6-8 computers shared by 8-10 doctors and the same or more in nurses, plus all of the specialty teams coming and going through the unit. That's an aweful lot of time being wasted switching users. I personally do my best to avoid using another person's account, but during an emergency sometimes there just isn't time to mess around.

            1. Alan Brown Silver badge

              Re: So a dilemma.

              The problem isn't poor security practice. It's going about it the wrong way.

              Put the authentication into staff ID cards, they're not allowed to wander around without them - yes the same cards that are used to open doors, etc.

              If you need to cross-authenticate then add a fingerprint scanner. if someone's got a card and a fake (or dead) finger then you have bigger worries than IT security.

              As for slow changeovers - that IS a problem. Fix it. Tablets and Wifi are cheap enough that shared computers should be the exception rather than the norm anyway.

          5. Marshalltown

            Re: So a dilemma.

            "It's not. Really it isn't. Almost never. ..."

            Clearly you've never been at the sharp end. There are several problems that all intersect and collectively they can kill patients that aren't even critical. First and foremost, staffing is inevitably affected adversely by computerization - ward clerks? Licensed vocational nurses? Who needs them, we have computers now! The typical hospital administration loves "paperless," low staff, nursing and doctoring. I know of one "healthcare" provider whose administrative board includes ONE doctor, who has no veto just because chairman - well trained in ***Hospitality (Hotel) Management*** (really) wants to hire - this a true story - people with a Disneyland staff attitude. Skill is not important. Really, its not. SMILE WIDELY and get out the iPad - "Oh, I am SO sorry. You are going to die??? I hope you had a nice stay!!! Can you fill out a customer satisfaction survey before you die???" - CONTINUE SMILING. The food was what??? I can't write that down!!!! What's that? you have resistant staph and that's what's killing you? You don't think much of the isolation practices??? What are those??? I am only trying to find out if you liked your stay ma'am. So you didn't?"

            Then there are interfaces. I know of one "healthcare system" that bought accounting software which some idiot convinced the administration could be "retasked easily" to handle health care records. (Why do these lab values have dollar signs?) The "ease" was a dillusion and the end result is an on-going catastrophe. Then of course there is the Windows problem - hospital staff do not have TIME to waste learning new interfaces every time some knuckle head thinks they can make the screen look "better." There are many horror stories about computers in hospitals and very few good ones. Every second staff spend doing computer work (or paper work to be fair) is time the patient doesn't benefit from. Every time a staff member accidentally clicks the wrong square in some "form" and doesn't catch it because they are also being paged overhead and via the phone for a code [whatever] is a time some coder's poor understanding of how things work in a hospital could kill someone, even someone who shouldn't have a problem. And, very much more to the point, healthy people don't go to the hospital! The case are OFTEN "odd ball."

  2. AustinTX

    Probably worse than you can imagine

    Hospitals are always so short-staffed they can't even keep their records up to date or even refile them so doctors can see their patient's records. I've temped in several hospitals for this reason. One hospital had a decades-old mainframe terminal system which required an employee's badge to be inserted to function. Very nice, right? Would tell you who accessed what and when. Well, every one of these terminals, throughout the bld had a blank badge left stuck in it at all times since doctors were always losing their badges and they didn't want to make ones for the temps. When I got bored entering location codes for files, I could look up people I knew and see what they'd been in for and when along with all their personal identification.

    1. Pompous Git Silver badge
      Unhappy

      Re: Probably worse than you can imagine

      Nothing about hospitals surprises me any more. I just had a cardiac resynchronisation/defibrillator installed. The anaesthetising nurse forgot to top up the anaesthetic so when the surgeon made the inisions and installed the device I felt everything! Post op I was offered panadol osteo (paracetamol) for pain relief and ended up having a shouting match with a nurse who told me it was illegal to take my regular meds, such as ivabradine prescribed by my cardiologist. The reason given was that the hospital pharmacist had never heard of ivabradine and anyway they don't approve of over-the-counter herbal medicines.

      Security? I'd be surprised if the managed to find their own arse with both hands.

      1. Anonymous Coward
        Anonymous Coward

        Re: Probably worse than you can imagine

        Some of these comments seem specific to either the US or the UK.

        Here where I'm currently working we haven't got a huge "sue" culture and we haven't got constant medical staff shortages.

        We do get some staff trying to work around security and sometimes IT is over-ruled. I thought this was a big problem but compared to what I'm reading here it's nothing at all!

        EDIT: I think Neil below has locked on to what we do.

    2. Alan Brown Silver badge

      Re: Probably worse than you can imagine

      "Well, every one of these terminals, throughout the bld had a blank badge left stuck in it at all times "

      Shouldn't be happening.

      "since doctors were always losing their badges and they didn't want to make ones for the temps. "

      It's a legal _requirement_ in the UK that patients can see the photoID of whoever's treating them.

      Doctors who forget their badges won't do it if it hits them in the wallet.

      1. Marshalltown

        Re: Probably worse than you can imagine

        The fact that a photo-id is a "legal requirement" doesn't make it a smart policy that does anything beneficial. It simply makes it a policy. Besides which, anyone with a decent image editor can counterfit the badges adequately to fool the Mk 1 eyeball. Ah - you say - but the card has to be passed through a reader and that can't be fooled. True, but seven people at a door, one passes their legitimate card and all seven including the ringer pass the door. Maybe we need embedded chips? No sweat. The code can be grabbed by several different kinds of skimmers and added to a card. Does the chip have to match the image? Not really if it is all machine checked. Is that really better security, or merely an illusion that some bean-counting "security" type ignorant of the actual demands in a hospital finds comforting? The only way to clue someone in to hospital security needs and true weaknesses is to get them out in the floor answering calls, changing bed pans, and watching sheet covered forms being moved down the hall to the elevator - destined for the morgue.

  3. gollux
    Devil

    Yeah, we're secure...

    But the patient's dead...

    There was this book written in the aftermath of WWII that pretty much details the conflict between reality, policy and management. I'm reminded of it every day...

    "Catch 22"

    1. Anonymous Coward
      Anonymous Coward

      Re: Yeah, we're secure...

      The answer is always the syndicate. Even in the "good" wars there are always plenty of 1%ers turning blood into gold.

  4. Anonymous Coward
    Anonymous Coward

    The fact that some security is based on "Best Practice" or "Industry Standard" is what winds me up. It's not based on "What we can observe and measure in the real world" but rather on "sufficient documentation exists to support this practice that no one will hold the security people accountable for problems if we implement these policies".

    You must have a complex password, change it every 60 days, not reuse it - these are my favourites. Teach the user base how to generate pattern passwords that meet the rules and problem solved (from the users' perspectives)

    1. Charles 9

      "You must have a complex password, change it every 60 days, not reuse it - these are my favourites. Teach the user base how to generate pattern passwords that meet the rules and problem solved (from the users' perspectives)"

      No, because some people have REALLY BAD recall:

      "Now, was that CorrectHorseBatteryStaple or Engine+Paperclip+Donkey+Wrong?"

      THAT kind of bad, which I see all the time. Medicos are caught between Scylla and Charybdis except they're not allows to sacrifice anyone. They need it RIGHT AND FAST, SECURE AND SIMPLE all at once, or people DIE and their survivors complain.

  5. Neil Barnes Silver badge

    For Pete's sake

    Every cash register in pretty much every pub in the country has a token login based on a physical widget attached to the operator with a bit of string.

    It's not a difficult concept.

    Make the same widget responsible for opening doors and doctors won't be able to lend theirs to others.

    Of *course* doctors aren't going to sit down and remember passwords for a dozen different systems; they're busy doing doctor things. Security per se is something that gets in their way and like any other human they'll do their best to avoid it. But an ID card in a slot not only provides access to systems but provides an automatic logout. Sure, it's not as secure as a widget *and* a password, but how secure is it now? The primary driver here is access to the records of the patient the doctor is treating *now*.

    1. Charles 9

      Re: For Pete's sake

      You know the problem with keys? People keep LOSING them! Lanyards break, keys get caught in things, next thing you know it's vanished without trace or knowledge of how it happened. And trying to correct for these wastes time which is unacceptable in a medical area because time means LIVES.

      1. Anonymous Coward
        Anonymous Coward

        Re: For Pete's sake

        I work in a site where you can't enter if you don't have your badge. I can't enter my office without the badge, nor I can eat at the canteen. If you forget it, the reception will issue you a temporary one on the spot after checking who you are.

        You quickly learn how to ensure you always have your badge with you. After all people also take care of their car keys, or they may not be able to get back home. AFAIK medical personnel working where radiations are present must carry a dosimeter.

        If needed, plant a chip under the medical personnel skin.... <G>

        1. Charles 9

          Re: For Pete's sake

          "You quickly learn how to ensure you always have your badge with you. After all people also take care of their car keys, or they may not be able to get back home. AFAIK medical personnel working where radiations are present must carry a dosimeter."

          And YOU just as quickly how often people STILL leave the damn things behind, skipping lunch and going hungry, requiring a cab or a ride or a locksmith, or simply walking home in the pouring rain. This IN SPITE of every precaution. Plus, losing access to critical information just when a Code Blue hits is NOT GOOD.

          PS. I think they found that when it came to appendages that are used quite often, like the arms, hands, and digits, they found yet another dilemma. A tough installation can't read half the time, and a realiably-readable one tended to break too often. Again, waiting for a replacement in an environment where time is critical is a no-go.

      2. Triggerfish

        Re: For Pete's sake @Charles 9

        So couldn't there be spares? Could not the hospital employ someone who rather than constantly pushing a space bar, issues out a re-placemnet, you could go even further and have them put a stop on the lost token.

        1. Charles 9

          Re: For Pete's sake @Charles 9

          Spares can get stolen.

          Replacements have to be verified.

          The point is not that it costs manpower but that it costs time, which depending on what part of the hospital you're in can be quite precious (that's why I always note the Emergency Room, one place where time pressure is frequent).

          1. Triggerfish

            Re: For Pete's sake @Charles 9

            Spares can get stolen.

            Replacements have to be verified.

            The point is not that it costs manpower but that it costs time, which depending on what part of the hospital you're in can be quite precious (that's why I always note the Emergency Room, one place where time pressure is frequent).

            Well yes it cost tiume but is it quicker and does it work better?

            Here rough process.

            Doc turns up to hospital, has not got rfid / token thingy. Goes to designated person. Says has forgotten/ lost current one. They de-activate it, issue a temporary one. Doc starts work.

            Yeah sure there is time lost, but it's caused by the doctor forgetting an item, it's going to happen. Everything that takes some security costs some time when it is needed, it's lessening the time while still being pratical and secure that seems to be the issue.

            1. Charles 9

              Re: For Pete's sake @Charles 9

              "Goes to designated person."

              There's your problem. There's no budget for "the designated person".

              1. Triggerfish

                Re: For Pete's sake @Charles 9

                "Goes to designated person."

                There's your problem. There's no budget for "the designated person".

                You mean there's no IT staff in the hospital at all? That's your problem there I reckon, no secretary either who could be trained to run a simple program, my oh my no wonder hospitals are so rushed.

                Keys get lost, tokens get lost, cards get lost. Passwords get forgotten.

                Whats the solution leave it all open all the time? everything else apart from the mentioned dermal implants, I know people can lose their arms, hits the human factor.

                1. Marshalltown

                  Re: For Pete's sake @Charles 9

                  Triggerfish - Hospitals do not make money, but they are generally owned by companies that are only putatively non-profit. So, for parent companies hospitals are cost centers that lower the bottom line. So, reduce staffing. Staff for minimum occupancy, reduce support staff or eliminate it altogether, hire one guy to handle IT or better yet outsource it to India and don't provide any documentation to the IT people anyway. Written originally for a mainframe in the '80s, not even for a hospital. Well - you're IT. We have confidence in you. What's source code? Why do you need it?

                2. Charles 9

                  Re: For Pete's sake @Charles 9

                  "You mean there's no IT staff in the hospital at all? That's your problem there I reckon, no secretary either who could be trained to run a simple program, my oh my no wonder hospitals are so rushed."

                  Hate to say it, but...that's exactly the issue! No solution can hire additional people because there's no budget for it. You MUST use existing people or it'll never make the budget. In a hospital, security plays third fiddle (to saving lives and cutting costs) and there's no way you're going to change this in the medical culture. The first priority is sacrosanct due to the Oath of Hippocrates while the second priority is imposed by the men up top.

      3. Marshalltown

        Re: For Pete's sake

        More to the point the key can be stolen. And, I have seen a key card snagged in an elevator door, ripped off the lanyard and fall down into the crack between the elevator and the shaft. Now there is a security issue, a legitimate card at the bottom of the elevator shaft - where it might be stolen by some nefarious and underpaid mechanic and sold to some no-good-nik. The "security" response was to close down both the elevators sharing that shaft to recover the card. That created a traffic jam at the next elevator down the hall, blocked responses to codes and created a gruesome tangle of visitors, patients, and staff, and likely lead to who knows how many unnecessary resistant staph infections. Medical people are often trained to think in terms of triage. In that approach, "security" will inevitably be last.

    2. Richard Jones 1
      Unhappy

      Re: For Pete's sake

      While I understand the theory, practice is often different. Cards DO fail, not good when you are one side of a door and doctor is the other. Never mind maybe someone will help them through, shame about your notes though. Still a replacement card should be available in 1~4 working days. Dangling gizmo things look so trendy in infection control areas. Proximity devices can be useful until they get lost, dropped, left in another jacket or so on. Sadly, one size fits all does not fit all and even more sadly not only are all people not the same neither are their jobs the same either. Not even everyone in the hospital has the same skill set or job description. There is still a lot wrong with the management and control of most hospitals but treating all roles with the same pat 'treatment' is not the answer. Human and job role factors must be considered. Should task and access 'tokens' ever leave the site or should the site have improved methods of issue and management?

      Too many questions for those outside to have a hope of answering, too many questions for those on the inside to have time to generate easy answers.

      I use a proximity fob system at home so I am well aware that they can be useful, I used a card system at work, so I am also painfully aware of failure rates.

      1. Anonymous Coward
        Anonymous Coward

        Re: For Pete's sake

        First up, most hospitals I know of have to have id on them at all times. If you are letting people in without ID, even staff, you've got bigger issues.

        "Still a replacement card should be available in 1~4 working days.", really. There is no reason why something as big as a hospital (which I presume has security staff), could not have multiple card printers. We have 4 readers and can get a card to someone in next to no time.

        1. Charles 9

          Re: For Pete's sake

          That hospital must have a good budget, then. Experience tells me your experience is the exception, not the norm.

        2. Marshalltown

          Re: For Pete's sake

          You are talking about hospitals, staff are reduced because, well hospitals never make money anyway, so companies hire "hospitality management" administrators with a mission direction to reduce costs at all costs. Their understanding of medicine is limited to patients are frequently unhappy and so are their families. "Why did my dad have to wait so long for someone to help him with the bed pan?" What do?

          They only hire minimum staff based on an assumption of minimum bed occupancy. Population rises, call in temps - but, temps and security badges - hmmm, maybe some sort of temporary badge, disposable perhaps? Temps need to complete (electronic) charting, meaning they need access to confidential patient records, but aren't issued passwords - "use mine" says the one full-time nurse. But that's bad practice!! Well yes, but there are now two nurses on the floor with 30 patients, and the full time nurse doesn't have time to access records for her patients AND the temp's.

          I have never met a computer security staffer dealing with medical records in a hospital that understood that the issue is patients - they need to be cared for and the floor is, except for the odd blue moon day, always understaffed. Their directions on implementing security come from a management that is a complete stranger to actual health care, except occasionally for the one token doctor on the board who might not be, and would be outvoted if it comes down to bonuses or patient well being.

    3. Adrian 4

      Re: For Pete's sake

      "Make the same widget responsible for opening doors and doctors won't be able to lend theirs to others."

      This here is what's wrong with all too many IT departments.

      If a user fails to adhere to a procedure, the answer isn't to find a way to force them. The answer is to find a better procedure that works with their workflow/constraints/failings.

    4. Prst. V.Jeltz Silver badge

      Re: For Pete's sake

      @Neil Barnes

      We have those. Got one hanging on my neck right now - an NHS care Identity service "smart Card"

      Those machines in pubs can switch users a hell of a lot faster than an NHS app though.

      This line in the article really summed it up for me:

      ""The problem is the … chief information, technology, and medical informatics officers … did not sufficiently consider the actual clinical workflow," the team says."

    5. lpcollier

      Re: For Pete's sake

      Nice idea, the problem is that NHS IT is a mess. A total mess. It's not a case of just logging into a workstation, it's a case of logging into anything from three to fifteen different clinical information systems depending on the specialty. Many of those are "web based" (usually tied to an ancient version of Internet Expolorer complete with obsolete ActiveX controls) and require separate passwords. They all have different password requirements and different password expiry lengths. The ubiquitous smart card is a great way to STEAL passwords, by having the smart card in situ then inviting a colleague to log in to something, the password management software will happily (and often silently) record their credentials. Genius! Probably the most secure approach to hospital computer systems I've seen is to have everything in virtual Windows instances in a server farm with the workstations purely acting as host displays, with a smart card or other token to reconnect to each user's desktop. It's fast, pretty secure and very convenient, but also very expensive.

      1. Alan Brown Silver badge

        Re: For Pete's sake

        "Probably the most secure approach to hospital computer systems I've seen is to have everything in virtual Windows instances in a server farm with the workstations purely acting as host displays,"

        Doable cheap and NOT particularly expensive if you do it using linux desktops.

        As a bonus, it's harder for the lusers to be tricked into installing malware (NHS firewalls are routinely bypassed and even the ones which aren't have more holes in them than a swiss cheese)

  6. Pascal Monett Silver badge
    Trollface

    Keys get lost, cards get re-used indefinitely, passwords are a joke

    So there is only one solution : neck collars. Personnel gets to the hospital, is intercepted by security team, gets wrestled to the ground and officer slaps neck collar on. Personnel is then free to go wherever and touch whatever computer, the neck collar automatically grants access. Collar stays on until personnel contract is terminated, HR in charge of retrieving it when processing the departure.

    For bonus points, make the collar a nice one, so that the ladies actually don't mind wearing it and the men look more manly with it.

    1. Charles 9

      Re: Keys get lost, cards get re-used indefinitely, passwords are a joke

      Next thing you know, you collar someone with very sensitive skin and they develop a rash...

  7. David Pollard

    Now you know ...

    ... why doctors' writing is almost impossible to decipher.

  8. Terry 6 Silver badge

    Real world

    Even in ordinary environments password security can put people under that little bit of extra pressure. Mostly it makes no difference, it's just one of those things that have to be done.

    The more pressure there is the more problematic it can become.

    Sit in a school staffroom at 08:20 and you'll see password sharing, As in, " Oh God it made me change my password yesterday - What the hell was it? X ( insert name) what's your password, I need to print off...... etc....."

    Move that into an overstretched hospital department with patients on trolleys and ambulances queuing outside and it isn't surprising if they don't even bother to keep passwords.

    It's not just emergencies, it's time pressure. If it takes an extra half minute per patient to change mental gear, ( especially if tired or rushing), recall and enter the password then by the end of the clinical day enough time for a number of slots have been used to type passwords - and that's assuming it works well, there's no need to retype the password and they don't get locked out.

  9. Anonymous Coward
    Anonymous Coward

    Medics aren't without intellect

    When I was a working hospital doctor, I'd always put speed of patient care before IG. So did the managers. Targets to meet for treatment times were prioritised over sensible IG features such as single sign-on across all the [disparate] clinical systems - PAS, RIS, PACS, Path, Order-comms etc.

    I even wrote a bit of code to 'move' the mouse pointer evry so often [co-incidentally just less than the time-out setting for the log-in!

  10. Captain Badmouth

    Biometric systems

    seem to be the answer here, something you can't lose. Ok, there are different security implications but getting rid of the tag/card that you can lose/mislay is a big plus.

    1. Tweetiepooh

      Re: Biometric systems

      What biometric? Hands in gloves, covered in blood and other fluids, maybe mask on, face shield.

      Maybe a solution is to have separate terminals and requirements in different zones, so terminals more open to "outside" use need more security than one in a clinical area where access is more restricted. You can also change what can be done so in areas like emergency treatment where getting info is more important that changing it make terminal read-only or limit what can be changed without additional authentication.

      1. Charles 9

        Re: Biometric systems

        Problem is, sometimes the requirements CLASH. For example, as you say, the Emergency Room. Problem here is that, due to the environment, it's a pretty open area with lots of people roaming around. This makes it a prime target for infiltrating in the midst of the chaos. BUT emergency personnel ALSO need timely access to patient information in order to keep triage and treatments moving quickly because, well, you're dealing with emergencies here.

      2. SImon Hobson Bronze badge

        Re: Biometric systems

        > Maybe a solution is to have separate terminals and requirements in different zones ...

        You mean, like the people who design these systems actually go out and find out how the people who need to use them actually work ! And having done that, design systems (note plural) appropriate to each situation.

        I think teh article could be summed up thus :

        TL;DR - systems not designed with users in mind

        Now, haven't we heard that one before ?

        1. Alan Brown Silver badge

          Re: Biometric systems

          "You mean, like the people who design these systems actually go out and find out how the people who need to use them actually work !"

          The problem is that whilst bypassing security might be excusable in ED, it's NOT excusable in standard clinical care environments and the problems are as much doctors being prima donnas as anything else.

  11. Herby

    Then you get....

    The half hour (or more) inquiry of medical facts when you go into the hospital EVERY TIME since they can't be bothered to "look you up".

    One time when visiting my dad in hospital, I was AMAZED at how much faxing they did. They would print out something and blast it off to somewhere. Weird to happen in the last decade!

    Maybe they would be more accepting if you had a PDF of your (brief) history on a thumb drive and they accepted it as well, but that is another story.

    Computers? I've heard of them...

    1. Alan Brown Silver badge

      Re: Then you get....

      > The half hour (or more) inquiry of medical facts when you go into the hospital EVERY TIME since they can't be bothered to "look you up".

      I usually respond with "this is in my file, why are you asking again?"

      1. Charles 9

        Re: Then you get....

        They respond, "Because we need to know the information in order to retrieve your file." IOW, it's a case of the crowbar being IN the crate.

  12. Disk0
    Coat

    The Medico God complex.

    That is all. It can never be fixed, every hospital just needs a Samaritan style surveillance machine to keep track of who's inside and what they are doing. Invasive, yes, but so is surgery.

    Mine's the one without the beeper.

    1. lpcollier

      Re: The Medico God complex.

      Yes, you're right. Doctors share passwords because they want to be God.

      1. Midnight

        Re: The Medico God complex.

        Someone didn't bother reading my carefully prepared memo on commonly-used passwords.

        Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and... god. So, would your holiness care to change her password?

        1. Charles 9

          Re: The Medico God complex.

          What happened to "password"?

  13. phillip-b

    The problem is stopping the wrong people from using the computer

    So far most of the comments have been about identifying the right user. Turn this on its head - how does one stop the wrong users from accessing the computer? I know this sounds weird or nuts, but if fast access to the computers is so medically necessary, then (particularly in A&E) have a security person whose job it is to patrol the unlocked computers to solely look for non-medicos using them.

    1. Charles 9

      Re: The problem is stopping the wrong people from using the computer

      OK, where does the money come from? Many hospitals are short-staffed already.

      1. phillip-b

        Re: The problem is stopping the wrong people from using the computer

        A&E already needs security guards - same person.

  14. Bob Dole (tm)
    Holmes

    The existing security paradigm just doesn't work in a multi-user world.

    Hospitals are the perfect example of an area where computer systems as they are now completely fail. The problem isn't one that will be solved by having biometrics or key fobs (tokens) available because those ignore the issue.

    The issue is that there is a large number of mobile workers (nurses, doctors, etc) that are moving around from room to room who need access to information immediately. Logging in and out of that rooms computer systems simple isn't feasible.

    So, how do you fix it? You start by getting rid of logins. Having someone log out and log back into Windows or even the application that's running on the computer is dumb. A much better approach is to just RFID tag all the people in the hospital (doctors, nurses, patients, visitors) and have detectors in each of the rooms.

    Change the applications so they don't require logins. Instead just record who was present in the room at the time anything happened. A medical record needs pulled up? System verifies that a medical professional is in a room and records who is there (including visitors) quietly, in the background. Someone needs that monitoring machine turned on? Is a medical pro in the room? yes, then do it and log who was present.

    How do you give everyone an RFID tag? well, they already have badges. Even visitors should have a visitors badge.... If a doctor doesn't have their badge then they aren't on duty. Multiple RFID sensors in a given room would easily tell you exactly which room they are in.

    That is quiet, unobtrusive and would absolutely go along with their workflow. They also wouldn't try to game the system.

    1. Charles 9

      Re: The existing security paradigm just doesn't work in a multi-user world.

      Too risky for false positives, if you ask me. The problem here is that RFID is radio based, and most of the time radio detecting isn't very precise. There will be tons of badges floating through the halls, and the walls don't always shunt. They could pick up stray badges and end up with mistaken readings.

      Another problem is that all this added radio transmission raises the risk of RF Interference, and medical equipment tends to be very sensitive which is why there were cell phone blackouts in the past in hospitals. RFID will mean raising the specter of more (and expensive) RFI testing. At least with current applications the badge readers are considered non-interfering because they only have a point-blank effective range.

      1. Alan Brown Silver badge

        Re: The existing security paradigm just doesn't work in a multi-user world.

        "Another problem is that all this added radio transmission raises the risk of RF Interference, and medical equipment tends to be very sensitive which is why there were cell phone blackouts in the past in hospitals."

        *Ahem*Bullshit*Ahem*

        The sensitivity was to 10-20W walkie-talkies being keyed in close proximity to equipment. That got translated into edicts that ALL radio equipment was to be turned off, for the simple reason that it's easier to enforce such a rule than "Oh this is ok, but that's not" - not helped by initial analog bag phones being 3-5W, instead of the 300mW maximum transmit power allowed for phones these days (bearing in mind that they seldom actually transmit at 300mW, it's usually 10-15mW unless in radio fringe areas and frequently in urban cells it's down as low as 1-2mW)

        The mobile phone ban got kept around for reasons of annoyance value, patient privacy and profiteering from pay/bedside phones, until OFCOM and the FCC stepped in to stomp on the latter.

        Meantime, the actual cause of RF interference problems - high powered walkie talkies - kept on merrily being used the entire time by security staff without a thought given to the effects on equipment.

  15. Seanmon

    No auditing?

    Last NHS system I worked on (a portal site that hooked into literally dozens of ancient creaky things and pulled all that data onto one screen - quite useful.) the login data was reviewed by an information governance person every month. Anything dodgy - same login used at two different locations at the same time, for example - and someone would get a polite call from IG to explain themselves. Mitigating circumstances, such as real life or death emergency would be taken into account. Seemed a reasonable common sense solution to me.

    (Although in fairness, a relatively small health board and that app was by no means universal - maybe 700 users.)

  16. Spamfast

    There is a fundamental cultural problem with medicos (at least in the UK) in that they don't believe that their patients' medical data belongs to the patients despite the fact that the patients are paying the taxes and medical insurance that funds its collection. They therefore don't consider it worthy of protection. If you need proof, try reading "Guiding Principles for Data Linkage" from the Scottish government. Similar garbage is available from other UK healthcare organizations, the recent "care.data" debarcle being a case in point. So of course they don't understand that login credentials are important.

    1. Anonymous Coward
      Anonymous Coward

      The medicos can counter that people pay taxes for the roads but don't personally own the roads. Similarly with hospitals. Taxes pay for the hospitals, but they don't OWN the hospitals or their data (which being the product of THEIR equipment and THEIR handiwork should legally belong to them, if not the government/crown under existing copyright statutes).

      1. Pompous Git Silver badge

        The medicos can counter that people pay taxes for the roads but don't personally own the roads.

        However, the tax-paying public does have access to the roads they pay for. Similarly, here in Australia at least, the taxpaying public has access to tax-payer funded medical records under FOI. A friend who is a retired anaesthetist recently requested his records and was appalled at the many "mistakes" therein.

        1. Charles 9

          "However, the tax-paying public does have access to the roads they pay for. "

          The tax-paying public does have access to the hospitals they pay for., too.

  17. Anonymous Coward
    Anonymous Coward

    not the best

    "Medicos could be world's best security bypassers, study finds"

    World's best security bypassers that you can scream obscenities at in the same room.

  18. Lotaresco

    Poor requirements and the medical ego

    When Apple brought out the second generation iPads medics were screaming at IT Staff that they needed WiFi throughout the hospital to support their BYOD devices or Patients Would Die. This was of course drivel and made worse by the desire of medics to put sensitive patient data onto their own devices.

    Using patient deaths as a stick to beat IT staff is standard. Having been a medical researcher before I became an IT bod I was able to tell them where to get off. Most IT Staff have neither the knowledge not the confidence to stand up to this blackmail.

    On the other side of the coin, I've watched medical staff having to juggle light pen, mouse, bar code reader and keyboard just to request clinical chemistry tests. This is clearly down to poor requirements gathering as well as cynical provision from third party suppliers - the school of "Oh it will do". It should be clear when gathering requirements for IT systems (or doing that stupid Agile thing) that speed of access to the system and to patient data should be a priority and this can be quantified. There then needs to be the usual risk-based decision on how to achieve an appropriate trade off. People leave systems logged in as much because of ignorance of the risks as for instant access to data. The instant access and "patients will die" arguments are usually post hoc to justify bad behaviour.

    If it's a real medical emergency no one in their right mind will be thinking of tapping at the keys on a computer instead of dealing with the emergency. Stat tests are usually achieved by planning ERs so that the laboratory is close to the ER and information/samples transferred by sneakernet. What's the point of having instant access to results if it takes significant time to get the samples to the lab? Who, in an emergency, has the time to carefully read through the patient's medical history? Which is why emergency procedures don't rely on going to look up "how to deal with an embolism" on Wikipedia, for example.

  19. G.Y.

    Henry Marsh

    wrote this up nicely in his "Do no harm" (p.268 &on)

  20. Lotaresco
    Pint

    I spent a brief period doing some research

    As far as I can tell there is no one focussed on providing secure rapid log in for use by emergency services. I know there's a need for this because I've worked on IT provision for emergency services and in control rooms as well as hospitals bad practice is common because it's faster than doing the right thing. Hence if something goes badly wrong it's often difficult to identify who did the wrong thing because of password sharing. This obviously suits the operators who like to feel they can't be held accountable.

    Then I had the lightbulb moment. What situation do I find myself in where someone has to log into a system within seconds or bad consequences will happen? Yes that's right, in the pub! If the bar staff can't get into that electronic till within seconds they will be faced with the wrath of man denied beer. Therefore the tills are designed to permit near-instant log in using a token. Problem solved!

    1. Charles 9

      Re: I spent a brief period doing some research

      "Therefore the tills are designed to permit near-instant log in using a token."

      Only one problem. Pub is a pretty small self-contained area. Everyone who would need access to the till is going to be within shouting distance, for their own good.

      Hospital is a big building, multiple floors, where people may be in different places throughout their watch. And each of these have different duties and authorizations. IOW, whole other kettle of fish.

      1. Lotaresco
        Meh

        Re: I spent a brief period doing some research

        "Hospital is a big building, multiple floors, where people may be in different places throughout their watch. And each of these have different duties and authorizations. IOW, whole other kettle of fish."

        Did you think this one through? The problem is access to individual terminals in a hurry if there's an emergency. The token solution is for anyone who has a need to access the system to have a token that grants them appropriate access. We have this concept of "a network" which means that wherever they are in the hospital they can walk up to a terminal, use their token and have exactly the same access as at any other terminal. No need for shouting.

        It's really not a "whole other kettle of fish" from the pub problem, where there's a need to identify the user (bar staff) and give them appropriate access to the system, with (say) managers having different access rights to the barman. These rights aren't an inherent feature of the token, the token is simply ID. The rights are associated with that ID and follow the user around.

        This isn't a perfect model for security, ideally access should be both token and password to reduce the number of improper accesses using a stolen/borrowed token. However there's a trade off for speed of access. At the moment we have no security if staff leave terminals open all day long. Use of tokens strikes a good compromise between ease of access and security.

        1. Charles 9

          Re: I spent a brief period doing some research

          "This isn't a perfect model for security, ideally access should be both token and password to reduce the number of improper accesses using a stolen/borrowed token. However there's a trade off for speed of access. At the moment we have no security if staff leave terminals open all day long. Use of tokens strikes a good compromise between ease of access and security."

          Except the hospital has legal confidentiality obligations on penalty of fines, sanctions, maybe even jail time. Plus there are MULTIPLE networks in a hospital, not all of which connect to each other. PLUS there's the matter many hospitals are understaffed with tight budgets. And we're not even going into human error, potential sabotage, and Murphy. IOW, the real world intrudes on your setup, making any attempt to implement, quite simply, a mess. Otherwise, someone would've already implemented it, and probably won the Nobel Prize for Medicine for basically performing a miracle.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like