Healthcare workers choose efficiency over password security


In an era of increased anxiety over the security of healthcare data, hospitals don’t guard passwords nearly as closely as they should, according to a new study from the University of Pennsylvania.

Despite the sensitive information housed in hospital systems, researchers, led by Ross Koppel, found that hospital employees often write passwords on sticky notes and keypad-protected doors, share passwords, and use computers without logging out to make things more convenient for whoever uses them next. Not only do such workarounds typically go unpunished, they’re rarely acknowledged at all, according to the report.

While hospital workers understand the importance of data security, it often isn’t practical to go through the full security process in a setting where time may make the difference between life and death. However, some also believe that lack of data security adversely affects innovation within healthcare.

Moreover, while heavier security ensures data is better protected, it can significantly disrupt a hospital's workflow. “At a large city hospital, death certificates require the doctor’s digital thumbprint. However, only one of the doctors has thumbs that can be read by the digital reader,” the study authors note. “Consequently, only that one doctor signs all of the death certificates, no matter whose patient the deceased was.”

Many of these issues come down to fundamentally different, often contradictory goals between hospitals’ clinical and information technology staff.

“IT want to be good guys” Koppel told Security Ledger. "They’re not out to make life miserable for the clinical staff, but they often do."

To learn more:
- here’s the study (.pdf)
- read the letter