On one level, the information I’m about to share here will strike many Healthcare Informatics readers as amusing, even risible. After all, you are the people leading your patient care organizations forward into the digitally facilitated future of healthcare, helping to create the IT infrastructures to support health information exchanges (HIEs), accountable care organizations (ACOs), bundled-payment contracting, patient-centered medical homes, value-based purchasing, and population health. Your days are filled with meetings and conference calls focused on high-level strategic planning and execution—as they should be. And you’ve got whole cadres of highly trained professionals focused on privacy and security, end-user usability, network management, application management, and of course, electronic health record (EHR) and other core clinical-IT management.
And yet, and yet… I continue to be taken aback at the reality of an Achilles’ heel issue in healthcare IT, one that remains stubbornly present, and that is around the simple user login, particularly in the manifestation of the use of incredibly lame passwords on the part of end-users in patient care organizations. In January, SplashData, a Los Gatos, Calif.-based information security solutions and services provider, released its list of the “Worst Passwords of 2013”—and be prepared to groan. Here you go:
You can view the entire list here. Trust me, the next 15 aren’t any more “ingenious” than the top 10…!
As the company noted, “SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online during the previous year. The company advises consumers or businesses using any of the passwords on the list to change them immediately.” Well, yes.
What’s more, as Laura Joszt noted in a column for the online publication Physician’s Money Digest, also in January, “Stories like the recent Target credit card breach serve as strong reminders of how easy it can be for our personal, business or financial information to be hacked. For physicians, a security breach can be an even larger issue because of patient data. And yet,” she added, “we never learn when it comes to creating passwords.”
So here’s the thing: doctors—and other clinicians—are all very, very smart people. They’re not dumb, and no one thinks they are. But doctors, nurses, pharmacists, and other clinicians are also incredibly busy, hassled people, and even more importantly, they’re people who have to deal with multiple passwords in multiple settings, many, many times a day. Physicians in particular are challenged by the current clinical environment, in which they may be required to master many (and I do mean many) user names and passwords every day, as they move from their office practices to hospitals, to imaging centers, to surgery centers, to nursing homes, across multiple mobile settings, and so on.
So is it any wonder that some physicians might take the super-easy way out and resort to passwords like “123456,” “password,” and “abc123”? No, really, it’s not. But that’s where the inherent challenge is for IT professionals—finding ways to optimize the log-in problem for physicians and other clinicians. And that optimization effort will inevitably require educational and support processes that create understanding of and buy-in to IT security principles and practices on the part of all of your clinicians.
I know that many patient care organizations have CIOs, CMIOs, CTOs, and other healthcare IT leaders striving mightily to work out good solutions to this problem, one that may seem first-day-of-kindergarten-simple. Yet the reality is that very “elementary” issues like this one are ones that can undermine the best-laid plans at the highest strategic levels.
So even as everyone rushes ahead to develop leading-edge strategies and implement those strategies, the reality is that extremely basic issues will continue to dog all patient care organizations going forward. And helping your physicians out so that they’re no longer tempted to employ passwords like “password” and “abc123” is going to be one of them, alas. So this is one of those “castles in the air, feet on the ground” situations—with CIOs and other healthcare IT leaders having to stay grounded in practical reality even as they move forward strategically. So are some of your doctors still using “password” as a password? Yes—probably more than you might think are doing so. And the time to do something about that is now.