Study Finds Password Misuse In Hospitals Is 'Endemic' (securityledger.com) 198
chicksdaddy writes from a report via The Security Ledger: Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. That's the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are "endemic" in healthcare environments and mostly go unnoticed by hospital IT staff. The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments -- with the bad behavior being driven by necessity rather than malice. "In hospital after hospital and clinic after clinic, we find users write down passwords everywhere," the report reads. "Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We've observed entire hospital units share a password to a medical device, where the password is taped onto the device. We found emergency room supply rooms with locked doors where the lock code was written on the door -- no one wanted to prevent a clinician from obtaining emergency supplies because they didn't remember the code." Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data. Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. "IT want to be good guys. They're not out to make life miserable for the clinical staff, but they often do," he said.
Just amazing (Score:5, Insightful)
If you forget a password, someone may die right in front of you. You can choose to write that password down and reduce security, or you can take a chance that you'll forget what this month's 12 character combination of at least two upper case, two lower case, 2 numbers, and 2 non-alphanumeric characters is in a pressure situation and the result will be death or injury to a human in your care and, likely, a lawsuit and dismissal.
Until this is fixed, people are going to write down passwords.
It's not just emergencies (Score:2, Informative)
My wife is a practitioner and she constantly complains how when she's with a patient, the system locks her out and demands a password change - which can take several minutes because they have this cloud EMR shit that's hosted across the country and is slower than shit.
Or just having the system time out fast. She's with a patient listening to their health complaints and examining them and then the system times-out and she has to log in again - and go through the obscene obstacle course of a UI to get back
Re: (Score:2)
[...] is slower than shit.
Try eating fiber. No more slow shit.
It is fun to hear people complain about technology.
If there is one thing I have learned, it is that people like to complain and they LOVE to complain about technology.
You could address all of these concerns and the next thing out of the user's mouth will be "the text is hard to read" or "the color scheme hurts my eyes" or any number of other asinine things.
Re: (Score:3)
Try eating fiber. No more slow shit.
It's not about fiber. If you have Netflix, go find "Code Black". It's a documentary about a group of ER doctors, and of of the things that stand out is their move to a "HIPAA compliant" hospital. One of the doctors can be quoted saying something like "if I use the restroom, I want to login. Login Login Login everywhere". Sure, HIPAA keeps patient records safe. But what use is that to the patient if he's dead? I'd rather be alive and have my records slightly less safe than being dead but knowing for sure tha
Re: (Score:2)
Keycard and 4-digit pin combo.
The "security" is getting ridiculous. Especially since when you hear about these data breaches, it all seems to be from the big companies servers, not from a regular joe 6-pack user
Re: (Score:2)
You do realize how these breaches happen right?
Almost every major hack you have heard about has the same vector into the network: users.
Re: (Score:2)
Re: (Score:2)
Requiring complicated passwords they need to write down is a failure of security design.
Network security that allows average user access to things they don't need access to is the bigger problem.
If Joe SixPack doesn't have access to the credit card database, his account can;t be used to hack it.
Re: (Score:2)
If Joe SixPack doesn't have access to the credit card database, his account can;t be used to hack it.
It's never that simple.
An attacker will hack Joe's account because Joe was dumb enough to click a phishing email or download a trojan.
The attacker will own Joe's machine and wait for an account with admin privileges to log on. It could be the Help Desk guys installing patches, or it could be the application account for the enterprise configuration management application. It doesn't matter, as long as it has the privileges.
Since that admin account probably has access to all the workstations on the domain, th
Re: (Score:2)
It is pretty trivial to escalate from standard user to sensitive administrator accounts
And THAT is the fault of the programmers making the software and OSs....
Re: (Score:2)
Re: (Score:2)
Would a data breach on a regular Joe 6-pack user's machine be newsworthy enough for us to hear about it?
Re:Just amazing (Score:4, Informative)
Add to this the great volume of doctors, interns, nurses, technicians, assistants, etc. that need access to these understaffed and overly busy places, and that come and go frequently. You arrive at a unit in the hospital and everything is password protected, all the passwords are different, and you need to get into many of them to do your job and help people in various stages of critical need. Nobody has taken the time to tell you what the common passwords are (for getting into locked rooms) or even given you your personal authorization to get at med dispensing machines, because they don't have the 15 minutes needed to do that (they'll get to this a little later when the breathing is stabilized or the pain is addressed). Don't be surprised that security is squarely in the way of getting things done, but make it easier for people to survive and be productive in this kind of environment.
Common Access Card (Score:2, Informative)
If you forget a password, someone may die right in front of you.
I'm surprised that more hospitals haven't implemented CAC:
https://en.wikipedia.org/wiki/Common_Access_Card
You generally need a pass card for most offices now anyway, so allowing it may not be a bad idea. When the work day first begins, you login with BOTH the passcard AND a password, which starts a 4/8/10 hour timer window. With-in that window you can only SIMPLY use your card to login, but once it passes you have to re-login. This way if the card is lost you still need two-factor.
Basically putting a Kerber
Re: (Score:2)
CAC is the US DoD implementation of smart cards, and any enterprise can deploy smart cards to its users.
Basically putting a Kerberos ticket on the card for single sign-on for a limited time.
That is not at all how smart cards work.
The card contains one or more certificates, and it will perform some pre-defined authentication operations using the private key if presented with the user's PIN.
Successful completion of these operations verifies the owner of the certificate is using the machine. The Subject Alternative Name field on the certificate is linked to the user's Active Directory account.
Re: (Score:2)
If you forget a password, someone may die right in front of you. You can choose to write that password down and reduce security, or you can take a chance that you'll forget what this month's 12 character combination of at least two upper case, two lower case, 2 numbers, and 2 non-alphanumeric characters is in a pressure situation and the result will be death or injury to a human in your care and, likely, a lawsuit and dismissal.
Until this is fixed, people are going to write down passwords.
So instead of liability reform, I vote in favor of removing all door locks and all security from any medical device or hospital. In fact, that whole HIPAA security model has probably cost lives by now, so let's just get rid of that shit too.
That way, all you have to worry about at the end of the day is when the device itself fails, or when the human operator working back-to-back 18-hour shifts makes a mistake.
If you goal is to remove liability from the medical industry, good fucking luck.
Re: (Score:2)
If you forget a password, someone may die right in front of you.
If we didn't connect the damn things to the intertoobz, perhaps a password might not be needed at all.
But the hospital as the proving grounds of the Internet of Things, just shows that if you need an easy password to save lives, bad guys can use that easy passwork to kill people.
Re: (Score:2)
You also have to take into account physical access, not just the interwebz. Drug carts, supply rooms, medical pumps, etc. all need to be protected from the patients that are in the same room/area as they are.
Yeah, someone might remote in and hack the drug cart to open up and dispnse lots of morphine to their friend who stealths in on a fake sickness...or the junkie who goes to the ER every other week for a hot meal and a shower figures out how trivial it is to get into the cart with a a fixed punch-code or
Re: (Score:2)
Then it's time to
Re:Just amazing (Score:4, Insightful)
Yup. These are things that, by their use, need to be fail safe rather than fail secure. And, yes, they really need to be air-gapped from the internet. But that would be inconvenient to the administrators and developers, so they prefer instead to make it inconvenient to the practitioners.
Re: (Score:3, Insightful)
Yup. These are things that, by their use, need to be fail safe rather than fail secure. And, yes, they really need to be air-gapped from the internet. But that would be inconvenient to the administrators and developers, so they prefer instead to make it inconvenient to the practitioners.
Wrong. I would love nothing more than to completely airgap my systems and establish secondary internet-accessible systems. That would be a huge relief to me as a clinical IT sysadmin. But *THAT* would inconvenience our clinical staff who need to check their personal webmail and google information we should be paying for, so I can't do that. Not to mention, thanks to HIPAA and the need to be able to send electronic billing and receive electronic remittance notices and be ordered to be able to check insur
Re: (Score:2, Insightful)
need to be able to send electronic ..., our systems MUST face the Internet.
Firewall whitelist
Re:Just amazing (Score:5, Interesting)
General Electrics: "Oh, we didn't tell you but we'll need a 24/7 IPSec VPN to this 500,000€ piece of equipment (and all its consoles) you just bought from us."
Me: "What."
General Electrics: "I know your medical imagery dept. is currently airgapped but hey, easy enough to correct, right?"
Me: "Yeah, no, it's not that easy."
General Electrics: "Then I'm afraid you've got a 500,000€ paperweight until you comply with our demands."
That was last year.
Re:Just amazing (Score:5, Funny)
This is great, because I am on the other side of that, possibly building that 500,000€ paperweight right now!
Security: You must provide a way to remotely update your medical devices so they aren't vulnerable to zero-day exploits!
Me: Okay, I will turn on automatic updates.
Regulatory: Wait! Software changes must be tested and approved first. That takes a few months.
Customer: Our regulatory group says the lab must be air gapped.
Everyone: *Head explodes*
Re: (Score:3)
Re: (Score:2)
Pencils are very resistant to virus attacks.
Re:Just amazing (Score:5, Insightful)
Re:Just amazing (Score:5, Interesting)
Re: (Score:2)
Not to mention, thanks to HIPAA and the need to be able to send electronic billing and receive electronic remittance notices and be ordered to be able to check insurance eligibility, our systems MUST face the Internet.
Next time, have a clue before you open your mouth.
Well then, y'all simply accept that you will be compromised. If doctors hace to have password1 as their password because people will die, and if there is absolutely no way that a system can be constructed without the equipment having no choice but to be on the toobz, and at the same time allow passowrd1, then you just sit back and wait for the inevitable.
Sucks to be you, because the fickle finger of damnation is gonna point right at ya. Have you considered a job somewhere else?
Re: (Score:2)
Any hospital gear that is not airgapped should be painted some warning color, with a distinctive logo for the colorblind.
Re: (Score:2, Interesting)
You don't even have to have the entire device itself air gaped from the internet, just its primary functions. Put a separate board in each device that has a NIC in it with a one way interface (only receiving data) to the actual health device (heart monitor, IV, etc). ID/Admin can secure the networked part of it to their hearts content and manufactures/bean counters/developers/monitors can still have access to the logs but the actual device functions via simple keys, with maybe a simple hospital wide passw
Re:Just amazing (Score:5, Informative)
Yup. These are things that, by their use, need to be fail safe rather than fail secure. And, yes, they really need to be air-gapped from the internet. But that would be inconvenient to the administrators and developers, so they prefer instead to make it inconvenient to the practitioners.
Air gapped systems have their own problems. Embedded and dedicated systems already have a completely dismal record when it comes to getting updated, and disconnecting them from the internet only makes that problem worse. And not just security updates, but functional bugs that actually put patients at (greater) risk. And more and more complex systems have phone home capabilities for remote monitoring and proactive support, capabilities that stop working when you air gap the systems.
Re: (Score:3)
The right question is why these devices need security in the first place. Why are they routable from the Internet?
Because they consume and produce medical information about the patient, which in turn need to be transferred to wherever the patient receives medical attention next, sometimes in a hurry.
The clearest case of this dilemma are the boring terminals used for handling patient records: Full and unhindered access is critical to proper treatment, but they also provide just about the most hefty lump of sensitive personal data you can find.
Re: (Score:2)
The right question is why these devices need security in the first place. Why are they routable from the Internet?
Because they consume and produce medical information about the patient, which in turn need to be transferred to wherever the patient receives medical attention next, sometimes in a hurry.
The clearest case of this dilemma are the boring terminals used for handling patient records: Full and unhindered access is critical to proper treatment, but they also provide just about the most hefty lump of sensitive personal data you can find.
The thing that is strange is that I've built nicely functioning systems with networking that are miles from internet access. I handle the updates via USB, and while it's possible of course to compromise an air gapped network, all of the activity is logged to let me know if anything odd is happening. Then when I need to gather the data, I sneakernet it to the computers that are on the toobz.
And yes, I do realize that if someone really really really wanted to, they could probably get past it. But that is a
Re:Just amazing (Score:4, Informative)
No, the devices need to be connected to a private LAN where they can, in-turn, talk to machines that may also need to talk to the internet.
Re: (Score:2)
Ok, we someone here who's never paid attention in a hospital. There are life saving computerized machines that doctors and nurses use to keep people alive. Since they are critical, they are pass worded. which creates this delema. Some of those have manual backups that will work, but not as well reducing good outcomes. Some just don't because computers are better at stuff than humans. And don't believe the bs on tv where doctors "Improvise" when machines fail and create their own solutions that no one has ev
Doc, you haven't even followed the literature. . . (Score:2)
Because, that biometric and password-protected issue-the-drug-machine you mentioned ? Likely a Pyxis SupplyStation, and ***very*** easily hacked. With a screwdriver. They even discussed it here on Slashdot several months ago. . . [slashdot.org]
Re: (Score:2)
The machine isn't there to prevent all intrusions, such as someone with a screwdriver or prybar. It is there to prevent medications from randomly going missing. I repair the machines at a few local hospitals. Yes, they are more secure than having unlocked cabinets of pills, and as secure as having locked cabinets of pills.
The major purpose of them is the fact that the staff have to log in, identify a patient, verify that the patient has certain medicine prescribed, take that medicine, and confirm quantity.
Re: (Score:2)
It's called Smart Card authentication, and it is vulnerable to most of the same attacks as password-based accounts on Windows domains because the underlying security protocol is the same.
If some random guy walks into the office, he won't be able to use passwords on stick-it notes to get into the systems. So yes, this is a small step in the right direction.
If we're talking about a network compromise, however, the value of Smart Cards is very low. Most attackers will still steal password hashes and Kerberos c
Re: (Score:2)
what happens if someone dies (Score:3)
Re:what happens if someone dies (Score:4, Insightful)
It's also a great example of something I've been saying for a while.
IT needs to take much more account of what their users actually need and want. In a hospital, it reaches a really obvious head, because what the users need and want is for their patients not to die, but the same applies across pretty much every company I've worked at bar one. The IT department universally will try to bias things towards security (because thats their mandate) and will want excessive justification for anything at all that a user needs/wants to do.
The result almost always is that users will end up going "fuck IT" and trying to find work arounds (*cough* like putting top secret emails on their own personal mail server *cough*). Seriously, I would bet big money that the only reason that Hillary had emails on her own server was because IT refused to accommodate her needing to access work somewhere other than where they deemed the correct place was.
Re:what happens if someone dies (Score:4, Insightful)
Re: (Score:3)
It's also a great example of something I've been saying for a while.
IT needs to take much more account of what their users actually need and want. In a hospital, it reaches a really obvious head, because what the users need and want is for their patients not to die, but the same applies across pretty much every company I've worked at bar one. The IT department universally will try to bias things towards security (because thats their mandate) and will want excessive justification for anything at all that a user needs/wants to do.
The result almost always is that users will end up going "fuck IT" and trying to find work arounds (*cough* like putting top secret emails on their own personal mail server *cough*). Seriously, I would bet big money that the only reason that Hillary had emails on her own server was because IT refused to accommodate her needing to access work somewhere other than where they deemed the correct place was.
Anyone doing IT Security long enough knows damn well it's a double-edged sword.
Too much, or not enough, will hurt you. This cuts right to the bottom line these days, and speaks directly to the bean-counters, in the only language they understand.
Re: (Score:2, Insightful)
No. Hillary did it to avoid FOIA.
Re: (Score:2)
IT refused to accommodate her needing to access work somewhere other than where they deemed the correct place was
Those refusals were based on following the law.
Federal laws dictate what constitutes a public record and how they must be retained. Virtually all outbound communications would qualify as public records, and many internal office emails will qualify as well.
Federal laws also dictate how sensitive information is handled. This includes not only classified information, but also any electronic storage of personal information or information designated for official use only.
Sometimes IT may slack off and deny a req
Re: (Score:2)
Part of it is the fact that there are so many independent data points to remember. In theory SSO-type mechanisms would work but in reality there's a different code, password, PIN, and combination for any number of things.
I work outside of the medical field and we've implemented SSO for quite a few things...and there's still a dozen accounts the typical user needs to know and remember. It basically falls under "yeah SSO for everything...but hey here's this new tool/site/app that you need for some other cri
Re: (Score:2)
Meh. It's a trade off issue like everything else.
Clearly there should be no critical, time sensitive, live saving system or device with heavy security. At the same time, make sure that these systems are physically separated from the administrative network.
On the other hand, stuff like research terminals or administrative computer systems can be locked down and require more security. I believe that these are the systems the article is talking about.
This isn't brain surgery here.
Re: (Score:3)
Please explain to the uninitiated how a lawsuit against a hospital makes the nurses magically never forget a password in a stressful situation after days of double shifts with little to no sleep.
Perhaps we can find a way to use this magical solution without the lawsuit unless it's the lawsuit itself that is magical?
It's not just in Healthcare (Score:3, Informative)
Two failure modes (Score:5, Insightful)
Let me remind everyone here that there are always two failure modes of a simple component, type 1 and type 2. A switch can fail open-circuit or short-circuit; a lock can fail locked or open, and a password failure can be either "will let people in who shouldn't be allowed to get in" or "won't let people in who need to get in".
You can alway take one failure rate to zero by making the other failure rate 100%. Reducing the rate of type 1 errors tends to increase the rate of type 2 errors, and vice versa.
Basically, the hospital workers are voting "there are too many errors of the type "can't get in when we need to", and we need a work-around to prevent this."
Comment removed (Score:5, Informative)
Re: (Score:2)
It also required me to train users on posix permissions and how to properly collaborate in a unix-like environment
Are you posting from 1993?
Security that gets in the way doesn't work (Score:5, Insightful)
Security that gets into the way of the worker to the point where it hinders him in his actual work will be circumvented without remorse. Actually, it will be done with the justification of increasing productivity. An example:
Take a security door that MUST be closed all the time for security reasons because something valuable is stored behind that door. Now take a worker that has to haul heavy items through that door. The prescribed flow of operation would be that he unlocks the door, goes through it, locks the door behind him, picks up whatever heavy item he has to haul, puts it down at the door, unlocks the door, opens the door, carries the heavy item through, puts it back down, closes the door, locks the door and then carries the heavy item to its destination.
How many times do you think he'll do this before that door is wedged open?
To him, that door is a nuisance and, worse, it is something that lowers his productivity and, in his opinion because he does not know the other implications, hurts his company. It isn't something he does for personal gain where he'd hurt his company, like checking his Facebook page on company time or watching YouTube videos, something he would at least feel guilty for, it is something he does FOR the company because it means he can work faster.
That is by some margin the worst kind of security infraction because it is done without remorse and with a good justification.
How much more likely is something in a health related area where the justification can well be saving someone's life?
This is why you have to plan your security in such a way that it does not impede the workflow of your workers more than absolutely necessary. Yes, that means you have to actually do your fucking job as a CISO and not just spout some insane and harebrained password requirements that force everyone to write it down 'cause they cannot remember them. You have to find out how to automatize away security from your workers. Perfect security isn't one where your workers stumble upon it every single time they want to do it, perfect security is achieved if the worker doesn't even interact with it anymore and hence CANNOT fuck it up, neither deliberately nor accidentally.
The aforementioned door could be made secure without causing your worker additional stress simply by giving him a RFID token and the door opening if it is being scanned. If you want to make theft of the token unlikely, activate it when the worker signs in in the morning (using the RFID token and a pin key, so someone stealing the RFID token would not know the pin) and deactivate it when he leaves. This is trivially possible and if whatever you have to secure is so important, the cost for implementing this are negligible as well.
But you have to do it. Instead of just offloading the burden of security onto your workers.
Re: (Score:2)
Well, I can talk from over 10 years of experience in IT security and in the end, ease of use trumps all.
People are first and foremost concerned with getting their job done (let's assume for a moment that they actually care about their job and don't just want to make the time go by so they can go home). And they will actually try to streamline and improve the way their job is done if they're good. Security will eventually get into their way.
Yes, education does help, as does raising awareness of the implicati
That assumes the IT staff has time. . . (Score:4, Informative)
. . . .to worry about passwords. Both my daughters work at the local hospital, a regional medical center. ~450 beds. 5000+ employees.
IT Shop ? 3 people. They're too busy putting out brush-fires to even THINK about more than out-of-the-box configs. It's to the point that both daughters (one is a ward admin, the other a radiology trainee ) spend about a third of the time as de-facto frontline IT Techs.
I rather suspect it's not an isolated case. . .
Working with DHS components (Score:3)
DHS being the Defense Health Service of the DoD. Someone had the brilliant idea of requiring the use of CACs (ID cards) to log in to terminals used by military medical personnel worldwide. This would satisfy the HIPAA requirements, keep Security happy, make it easy to log who was seeing what, and generally be a Good Thing.
Then it was pointed out that using a CAC for login required a connection to validation servers. And field hospitals in Afghanistan, Iraq, and other places generating lots of patients might not have good connections... Oh, and Navy ships at (and especially under) sea can also lack good connectivity.
Amazingly, the Powers That Be agreed that the Idea, while Good, was not practical, so using the CAC is now recommended rather than required.
Re: (Score:2)
Then it was pointed out that using a CAC for login required a connection to validation servers.
Not continuously.
They could download the CRLs from each certificate authority once a day and distribute them to the authentication servers (Windows domain controllers, most likely).
There are tools to automate this process, and they can be scheduled for off hours and to retry in the event of a network outage.
Obviously, there are grounds for an exception where internet connectivity goes down for days at time, but even then you could configure the system to skip validation. (Skipping validation still means the
Re: (Score:2)
at the VA they disable new USB devices on the computers as a security measure
Disabling USB ports is stupid.
A lot of crap gets spread on USB drives, so I'm not surprised if those are locked down.
if you remove your login card the computer locks
This prevents unauthorized people from accessing unattended computers. This is the same reason that the computer locks if you don't use it for 10-15 minutes.
Locking user sessions is basic security, and if you don't understand that then I'm not surprised if no one listens to your complaints.
so they bought a second card reader for EVERY computer at the VA so that the admin card can used when needed.. that's some fucked up waste
Smart card readers are around $20, so it's trivial compared to the cost of the computer (or even compare
Wrong way to write down passwords (Score:4, Interesting)
There is a right way and a wrong way to do this. In my experience, all the hospitals do it the wrong way - which is to write down the actual password.
The correct way to do it is simple, right down a password that is systematically wrong.
If the password is 845, write down 734.
If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard).
simple cryptography works fine.
Re: (Score:2)
There is a right way and a wrong way to do this. In my experience, all the hospitals do it the wrong way - which is to write down the actual password.
The correct way to do it is simple, right down a password that is systematically wrong.
If the password is 845, write down 734. If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard).
simple cryptography works fine.
A corrollary would be to have two passwords stored in the system, the real one and the memory jogger. If someone enters the memory jogger you know an intrusion may have be attempted and can lock the system and warn the ser the next time they log on.
Re:Wrong way to write down passwords (Score:4, Insightful)
There is a right way and a wrong way to do this. In my experience, all the hospitals do it the wrong way - which is to write down the actual password.
The correct way to do it is simple, right down a password that is systematically wrong.
If the password is 845, write down 734. If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard).
simple cryptography works fine.
Holy SHIT do you overestimate the average human's ability to understand even simple obscurity models.
Feel free to provide examples of where this has actually worked for people outside of IT.
Re: (Score:2)
In my experience, all the hospitals do it the wrong way - which is to write down the actual password. The correct way to do it is simple, right down a password that is systematically wrong. If the password is 845, write down 734.
If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard). simple cryptography works fine.
Sure, great idea. That way you'll have two post-it notes stuck on the monitor:
* "password is 734
* "add 1 to each digit to get real password"
What actual threat model do you imagine anyway? Which danger model is more likely? (1) That a clinician forgets a password or the password sticky note convention and so care is delayed by several hours while it gets restored? (2) Or a new clinician comes to the shift and doesn't know the convention and care is delayed? (3) Or an electronic attacker tries to get into the
Re: (Score:2)
There is a right way and a wrong way to do this. In my experience, all the hospitals do it the wrong way - which is to write down the actual password.
The correct way to do it is simple, right down a password that is systematically wrong.
If the password is 845, write down 734. If the password is EmerC@rE, write down eMERc2Re, or perhaps R,rV#tR (check your keyboard).
simple cryptography works fine.
Except that the many of the people who are writing it down are the people who have issues getting it correct even when written down correctly, mostly older doctors and staff. The rest are people who have so many passwords for som many systems that are used so seldomly, that they can't remember them. This would include what their system of cryptography is too. Add in that many of these systems are vendor controlled and they all have different constraints on how passwords can be created so that any such syste
Re: (Score:2)
They won't remember that method.
Comment removed (Score:5, Insightful)
Re: (Score:2)
+1, Wish I had mod points.
Passwords in general have been obsolete for years, but not replaced. Password policies have made this worse. I have 4 different passwords and a chip card at work alone (WTF?). Dozens of websites want passwords, many of which I only need to access monthly or yearly. Many have policies that get in the way of good password practices (many have very short character limits, which is stupid beyond belief). So I readily admit I reuse the same burner password and login for many low im
Re: (Score:2)
IT security and policies should support the mission of the organization - not the other way around.
This is a useless generalization.
Since most businesses do not want their trade secrets or contract information stolen, they need IT security.
Since most businesses are obliged to protect personal information or other sensitive information, they need IT security.
The value of various protections should determine how much they spend to implement security, and the potential for lost productivity should determine how much is spent on streamlining procedures and deploying enterprise tools. Most of those assessment
Go ahead (Score:2)
Go ahead...
Re: (Score:2)
They should just repla
Re: (Score:3)
There is no rationale for this. Just more of the clouded thinking that we now have to live with.
It's going to be a rough ride when the IoT gets going, with how weak it's "security" is.
Imagine when "everything" is on a network, with little to no thought about security...
Apply security where it makes sense (Score:4, Funny)
There are some places where security just isn't needed. Where I work we are having discussions kinda like this:
Security team: All new products must support two-factor authentication!
Development: On the juke box??
Re: (Score:2)
It doesn't matter. If you added 2-factor authentication to the juke box, nobody would buy it because it would be too hard to use. Which, I suppose, solves the security problem nicely!
"They" are not stupid (Score:2)
" and mostly go unnoticed by hospital IT staff."
and mostly go willfully unnoticed by hospital IT staff.
Fixed that for you.
Though it is more correct to say "hospital IT staff turn a blind eye to the practice".
I'm facing a similar problem... (Score:2)
I'm the Admin for a High-Tech factory. While we do use some very dangerous chemicals, those are pretty well restricted using physical means. However, on the factory floor itself, the company has historically used shared passwords for most of the manufacturing tools themselves. While this doesn't currently pose much of a safety threat, it does make tracking "who did what" basically impossible. Additionally, we were recently acquired by a Public company, and due to SOX, the whole "shared password" thing i
Re: (Score:2)
The use of RFID tags would work, but then you have the issue of potential theft of said tag.
The theft problem is diminished if the tags are used for facility access control. 'Lose' your tag and you've got to stop by security for a new one (and have the old one deactivated). Actual theft by miscreants attempting unauthorized access has been handled in an innovative way in at least one place. Tags gone missing are 'deactivated' but still work to open one door in a man trap. Then the holder is stuck, having to explain himself to (armed) security. Not willing to go that far? You can still get a photo
Endemic? Endemic? (Score:2)
Endemic? Endemic? Don't you mean "nosocomial"?
Really? (Score:4, Informative)
"Hospitals are pretty hygienic places -- except when it comes to passwords, it seems. "
Hardly. Bad hygiene in hospitals kills over 100.000 people a year in the US alone.
http://abcnews.go.com/GMA/stor... [go.com]
Re: (Score:2)
And the reason is? (Score:2)
Pressure to perform QUICKLY, ALL THE TIME, on every 16 hour shift.
New Password Post-IT (TM) (Score:2)
One company has announced the new product line called Password PostIts, specifically for this misuse.
These are just as easy to use.
1.Write the password down on the post It.
2.Peel off.
3.Stick in a convenient location, preferably visible to human traffic
4.Sell them by the gajillions
5.Profit!
What makes them unique is they are non-stick postIts. Other than being lime green, they really don't stay on for very long.
I run Linux on my computer (Score:2)
The IT staff felt I was competent enough to be given Admin access to my machine. So I shrank the Windows partition and installed Debian in the empty space. Works great! I can do my work just as well on Debian as I can in Windows
Comment removed (Score:4, Insightful)
Re: (Score:2)
Pretty much this. I was vocal about it at work, ignored, and just go with it now. I'm the same I have a million different usernames and passwords for various systems I have access to. There has been some improvement in the last couple of years, where we've managed to consolidate some systems into the same environment where we can share usernames/passwords, but for the most part it is still the same. Then every year some new systems are added to the pile, each with it's own username and passwords... Ideally
Re: (Score:2)
Hospitals are cheap (Score:2)
They don't invest the money to make things work smoothly in their IT service, it just has to work. The last hospital I worked for had no central authentication service. You had over a dozen passwords, they all needed to be changed at different times, and all had different requirements.
Some of the better systems I've seen had a PIN number tied to your longer password. The pin was only good for your shift and you had to change it on your next shift. It resisted brute force by locking out after so many attempt
All this techtalk misses the point (Score:2)
The end-user is rarely schooled in ANYTHING IT-related. Keyboards are an obstacle. Mice are an obstacle. Add bureaucracy to this and you have very frustrated users who are not going to take kindly to passwords or any other additional obstacle.
Last time I saw a doctor he was forced to "code" the X-Ray I was about to get in one of about fifty different codes made necessary by the accounting system. He couldn't see the extended explanations on the page because the data elements had been squished together. Obvi
Blame Washington (Score:2)
Clarification of title (Score:2)
The password misuse isn't by medical staff. It's IT that is abusing standard password policies that aren't designed for man-rated procedures.
Expiration (Score:2)
Based on my [very long] experience watching people deal with this in the real word....
The #1 reason passwords are written down is because of stupid, backwards, unnecessary expiration rules. It is in insane practice that somehow became "best practices" when it should have been declared "WORST practices" decades ago. When your perfectly good and memorized password expires every X days, you are going to either start writing it down, or make it insanely weak (or duplicated with other systems) so it can be rem
It's not just security that's the problem (Score:2)
Doctors: I know it's old fashioned, but my paper records worked fine, why do we have to change?
Consultants/Politicians: Ha, ha, that's adorable. Now sign here to get your e-records database for $500k.
Doctors: Do I have to?
Consultants/Politicians: Do you like jail?
Doctors: Okay
Consultants/Politicians: Welcome to the future! Now, you and your staff just have to take this one week cour
hey who leaked it? (Score:2)
Re: (Score:2)
Sounds more like a broken system. Why shouldn't a doctor be able to verbally tell a nurse something and have them enter the data? An RN is required to know a lot about meds they are supposed to be the last line of defence to catch screwups. The system would be better if they use their own credentials and select what doc they are doing it for. Do you realy think a doctor is getting out a prescription pad in the ER no they tell a nurse they do it and chart it.
Oh yea idiocy around the drug war.
Re: (Score:2)
Biometrics in a hospital setting are hard lots of gloves lots of issue with sterilization. Contactless is pretty easy the problem is you have upteen vendors that do not work with it. It's a case where you need something like HIPPA or similar to require it vs a nebulous you should follow good standards to get all the suppliers to get working with a standard.
Re:Researchers Ignore Real World Concerns Yet Agai (Score:5, Interesting)
Implant all the staff with chips. The kind they use for pets.
Then they can log on by head-butting the computer.
Re: (Score:2)
They actualy work rather well for my pets the cat flap uses them. Would need more security that just a serial number though.
Re: (Score:2)
Do they have to handle the card to place it in the reader, or can they just bump against it? There are hygiene concerns here.
My suggestion was a bit facetious, but there are more practical hands free methods.
Re: (Score:2)
Fine, but if there are half a dozen systems that someone needs to use, each with a different login, and each with different password requirements, and each requires changing the password every month, that becomes a non-trivial problem.
"OK, this is the one where I have to use a password with at least ten characters, including two numbers, a capital letter, a symbol, and no actual words - is it W34@wqaszn? No? Maybe that was last month?"
Re: (Score:2)
See, hospitals are full of squishy biology stuff, some of it really bad, some of it really vital, so when there is a real crisis and you need that information more urgently than ever, your hands may well be covered in any combination of gloves, bodily fluids, and medicinal gunk.
Re: (Score:2)
Click to the actual article. Click to the link to the actual study. Check out the properties on the PDF. It was created in 2014.
Time for a new study.
To tell us what? That users in 2016 still tape their fucking passwords everywhere in plain sight?
Pull a study from 20 years ago and tell me if it's any fucking different than the one you're complaining about from 2 years ago. Humans have not changed regardless of the threat landscape. Anyone doing this long enough knows this has been a systemic problem since passwords were invented.