Study Finds Healthcare Workers Frequently Circumvent Computer Security Controls
A university study has found that medical workers, nurses and physicians frequently workaround cyber security controls in healthcare settings, which leaves healthcare organizations vulnerable to cyberattacks and data breaches. Yet, the study finds, clinicians are doing so because information security systems often were developed without sufficiently considering clinical workflow and health IT usability.
Computer science professors and research scientists from Dartmouth College, the University of Pennsylvania and the University of Southern California conducted the study in order to understand workarounds to healthcare workers’ computer access, according to the research paper. To do this, the researchers conducted interviews and observations with hundreds of medical workers and 19 cybersecurity experts, CIOs, chief medical informatics officers (CMIOs), chief technology officers (CTO), and IT workers to obtain their perceptions of computer security. The researchers also shadowed clinicians as they worked.
According to the study, the researchers found that “workarounds to cybersecurity are the norm, rather than the exception,” and the fact that such workarounds go unnoticed or, in some cases, even tolerated, “allows healthcare organizations to continue to deploy security that doesn’t work.”
“We present dozens of ways workers ingeniously circumvent security rules. The clinicians we studied were not ‘black hat’ hackers, but just professionals seeking to accomplish their work despite the security technologies and regulations,” the research authors wrote.
“The problem,” the researchers wrote in the paper, “is the workers who build, use and maintain the systems—often chief information or technology officers (CIOs/CTOs), chief medical informatics officers (CMIOs), sometimes cybersecurity experts, and often just IT personnel—did not sufficiently consider the actual clinical workflow,” the researchers stated.
“For example, the bolus of passwords, each with specific requirements and time limits, are seen as an annoyance, not as a patient safety effort. Equally important, circumvention of cybersecurity is seldom examined by those concerned with workflow, health IT usability, barriers to teamwork, thought-flow or user frustration. Cybersecurity and permission management problems are hidden from management, and fall in the purview of computer scientists, engineers and IT personnel.”
The research authors examined security control practices in healthcare such as authentication, specifically password-based authentication, de-authentication, such as a user’s computer session ending when the user leaves, permission management as well as what’s referred to as shadow systems and shadow notes, when clinicians create a shadow system operating in parallel to the health IT for information that doesn’t need to be in the formal system. And the authors examined how these traditional security practices are ineffective with the workflow in healthcare delivery organizations.
According to the study, during the authors’ interviews and observations, they noted that clinicians circumvent password authentication and share passwords in order to efficiently access the same patients’ charts. In their observations, the research authors noted the widespread practice of writing down passwords, specifically noting “entire hospital units share a password to a medical device, where the password is taped onto the device.”
The authors also noted that strong password requirements, such as routine password expiry, doesn’t yield better security in a healthcare setting, as clinicians and nurses need to get in and out of health IT systems quickly. And, as another example, physicians might do rounds at a hospital monthly, and password expiration intervals would require that physician to get a new password each time they worked at that hospital.
And, the researchers noted that both automatic de-authentication as well as a system that does not have automatic de-authentication can be burdensome for healthcare workers, depending on their particular workflow.
In one example, the researchers noted that one clinician complained that a clinic’s dictation system had a five-minute timeout, requiring the physician re-authenticate with a password, which takes one minute. “During a 14-hour day, the clinician estimated he spent almost 1.5 hours merely logging in.”
In another example of how healthcare workers circumvent cybersecurity protocols, the researchers interviewed nurses in pre-op who physically move patients to the OR, which is two minutes away. In order to accurately record the OR transfer time into the electronic medical record (EMR), “nurses leave themselves logged in but turn the monitor off, and then come back to the pre-op afterward and record the OR transfer time.”
According to the researchers, in order for healthcare delivery organization leaders to understand circumventions in cybersecurity, their investigations require more than just analyzing computer rules and computer-generated logs of access and should include examining how clinicians and physicians work and might require interviews, focus groups and observations.
The research authors conclude that security controls must be addressed in concert with sociological and workflow issues. “In addition, there is a continual dance between cyber security engineers and the clinicians who seek to treat patients; where clinicians view cyber security as an annoyance rather than as an essential part of patient safety and organization mission,” the authors wrote.