Skip to content Skip to navigation

Study Finds Healthcare Workers Frequently Circumvent Computer Security Controls

June 30, 2016
by Heather Landi
| Reprints
Click To View Gallery

A university study has found that medical workers, nurses and physicians frequently workaround cyber security controls in healthcare settings, which leaves healthcare organizations vulnerable to cyberattacks and data breaches. Yet, the study finds, clinicians are doing so because information security systems often were developed without sufficiently considering clinical workflow and health IT usability.

Computer science professors and research scientists from Dartmouth College, the University of Pennsylvania and the University of Southern California conducted the study in order to understand workarounds to healthcare workers’ computer access, according to the research paper. To do this, the researchers conducted interviews and observations with hundreds of medical workers and 19 cybersecurity experts, CIOs, chief medical informatics officers (CMIOs), chief technology officers (CTO), and IT workers to obtain their perceptions of computer security. The researchers also shadowed clinicians as they worked.

According to the study, the researchers found that “workarounds to cybersecurity are the norm, rather than the exception,” and the fact that such workarounds go unnoticed or, in some cases, even tolerated, “allows healthcare organizations to continue to deploy security that doesn’t work.”

“We present dozens of ways workers ingeniously circumvent security rules. The clinicians we studied were not ‘black hat’ hackers, but just professionals seeking to accomplish their work despite the security technologies and regulations,” the research authors wrote.

“The problem,” the researchers wrote in the paper, “is the workers who build, use and maintain the systems—often chief information or technology officers (CIOs/CTOs), chief medical informatics officers (CMIOs), sometimes cybersecurity experts, and often just IT personnel—did not sufficiently consider the actual clinical workflow,” the researchers stated.

“For example, the bolus of passwords, each with specific requirements and time limits, are seen as an annoyance, not as a patient safety effort. Equally important, circumvention of cybersecurity is seldom examined by those concerned with workflow, health IT usability, barriers to teamwork, thought-flow or user frustration. Cybersecurity and permission management problems are hidden from management, and fall in the purview of computer scientists, engineers and IT personnel.”

The research authors examined security control practices in healthcare such as authentication, specifically password-based authentication, de-authentication, such as a user’s computer session ending when the user leaves, permission management as well as what’s referred to as shadow systems and shadow notes, when clinicians create a shadow system operating in parallel to the health IT for information that doesn’t need to be in the formal system. And the authors examined how these traditional security practices are ineffective with the workflow in healthcare delivery organizations.

According to the study, during the authors’ interviews and observations, they noted that clinicians circumvent password authentication and share passwords in order to efficiently access the same patients’ charts. In their observations, the research authors noted the widespread practice of writing down passwords, specifically noting “entire hospital units share a password to a medical device, where the password is taped onto the device.”

The authors also noted that strong password requirements, such as routine password expiry, doesn’t yield better security in a healthcare setting, as clinicians and nurses need to get in and out of health IT systems quickly. And, as another example, physicians might do rounds at a hospital monthly, and password expiration intervals would require that physician to get a new password each time they worked at that hospital.

And, the researchers noted that both automatic de-authentication as well as a system that does not have automatic de-authentication can be burdensome for healthcare workers, depending on their particular workflow.

In one example, the researchers noted that one clinician complained that a clinic’s dictation system had a five-minute timeout, requiring the physician re-authenticate with a password, which takes one minute. “During a 14-hour day, the clinician estimated he spent almost 1.5 hours merely logging in.”

In another example of how healthcare workers circumvent cybersecurity protocols, the researchers interviewed nurses in pre-op who physically move patients to the OR, which is two minutes away. In order to accurately record the OR transfer time into the electronic medical record (EMR), “nurses leave themselves logged in but turn the monitor off, and then come back to the pre-op afterward and record the OR transfer time.”

According to the researchers, in order for healthcare delivery organization leaders to understand circumventions in cybersecurity, their investigations require more than just analyzing computer rules and computer-generated logs of access and should include examining how clinicians and physicians work and might require interviews, focus groups and observations.

The research authors conclude that security controls must be addressed in concert with sociological and workflow issues. “In addition, there is a continual dance between cyber security engineers and the clinicians who seek to treat patients; where clinicians view cyber security as an annoyance rather than as an essential part of patient safety and organization mission,” the authors wrote.





AHRQ Developing New Patient Safety Surveillance Tool

With the aim of improving patient safety monitoring, the Agency for Healthcare Research and Quality (AHRQ) within the U.S. Department of Health and Human Services (HHS) is currently developing and testing an improved patient safety surveillance system.

Gates Foundation Awards $210M to UW's Population Health Initiative

The Bill and Melinda Gates Foundation is awarding $210 million to Seattle-based University of Washington’s Population Health Initiative, with the funds going toward the construction of a new building to serve as the initiative’s hub.

AHA Offers Interoperability Standards Recommendations to ONC

The American Hospital Association (AHA) has offered feedback to the ONC on the agency’s draft Interoperability Standards Advisory (ISA) that it issued in August.

Survey: Healthcare Orgs Not Taking Mobile Security Seriously Enough

More than half (56 percent) of healthcare professionals believe their organization could be doing more to educate employees on HIPAA compliance and the rules around sharing protected health information.

Mount Sinai’s Research Arm Using Data Analytics to Address Health Inequities

The Arnhold Institute for Global Health at the Icahn School of Medicine at Mount Sinai is partnering with DigitalGlobe to create the Health Equity Atlas Initiative (ATLAS), a platform that standardizes and maps population data in order to generate insights that address health inequities.

FDA, Hospitals Work to Improve Data Collection about Medical Devices

The U.S. Food and Drug Administration is looking to improve the way it works with hospitals to modernize and streamline data collection, specifically safety data, about medical devices.