Medicos are so adept at mitigating security controls that their bypassing exploits have become official policy, a university-backed study has revealed.
The work finds that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts are taught to other staff.
It is built on face to face and phone interviews with hundreds of medical workers, chief technology officers, and 19 security boffins by an academic team of Sean Smith and Vijay Kothari of Dartmouth College, Ross Koppela of the University of Pennsylvania, and Jim Blythe of the University of Southern California.
"We find, in fact, that workarounds to cyber security are the norm, rather than the exception," the team writes in the paper Workarounds to Computer Access in Healthcare Organisations: You Want My Password or a Dead Patient? [pdf].
"They not only go unpunished, they go unnoticed in most settings — and often are taught as correct practice.
"Cyber security efforts in healthcare settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules."
"Entire hospital units" have shared a single login for a medical device. Passwords are plastered everywhere on sticky notes, some on the back of official advice from tech vendors.
It is part of what the quartet call "endemic circumvention" of password authentication.
Rather useless password expiration requirements -- so described because it pushes users to select increasingly weak and easy passwords -- soaks up IT shop time increasing the advantages for staff to share logins.
Some medicos have gone to lengths to mitigate hospital security controls. Staff at one unnamed hospital put styrofoam coffee cups over proximity sensors in a bid to prevent automated log outs.
One hospital charged the junior medico with pushing the spacebar on computers every five minutes to prevent log outs.
These workarounds which keep machines logged in have resulted in at least one instance with the issuance of the wrong medication when a doctor did not realise the wrong patient records were open.
"The problem is the … chief information, technology, and medical informatics officers … did not sufficiently consider the actual clinical workflow," the team says.
The team says healthcare workers are some of the most creative in bypassing controls given their critical mission of healthcare delivery. ®