The password problem: Solve it and make your systems more secure
August 26, 2015
David Ting was sitting in the doctors’ lounge of a hospital in the Midwest U.S. when he noticed a man cursing at a computer station, pounding the keys with obvious frustration. Ting, co-founder and CTO of healthcare IT security company Imprivata, asked what the problem was.
The irate computer-user turned out to be a specialist who consulted at half a dozen area hospitals. For each hospital, he had a different user ID and password – too many to remember. Since the doctors’ lounge was relatively secure, he’d simply written his password on the wall near the station.
“Then,” he told Ting, “the unthinkable happened.” The lounge had been redecorated and the decorators had repainted over the specialist’s password.
What makes passwords effective – complexity and frequent change – also makes them hard to remember. That spawns workarounds like Post-it notes, scraps of paper pinned to cubicle walls, even passwords written in felt-tip marker on the bezels of computer monitors (one reason, Ting says, that monitors are now predominantly black rather than beige).
Vince Ranieri, technical infrastructure manager with Mackenzie Health – formerly York Central Hospital, just north of Toronto – can talk about password perils from experience. The hospital had a culture of shared passwords and sticky notes, but with more clinical systems and new technology coming online, the hospital revved up its security. Each system, clinical or financial, required a different login, passwords of different complexity and different expiry times.
“When individual user accounts were introduced along with user logins to different applications, this caused a 50 percent increase in support calls (daytime and after hours) due to staff forgetting passwords,” Ranieri says. Users were frustrated, session timeouts hampered productivity, and reporting and audit processes became inefficient.
Doctors may have to access five to seven systems in a single patient cycle, says Ting. It’s tedious, and worse, it’s time spent that has nothing to do with treating the patient. But beyond tedium and frustration, a password security regime can have other consequences.
“Privacy is at the heart of maintaining and securing patient information.” Ting says. Using “group memory” or written-down passwords offers a major risk of exposure to hackers. There’s also the risk of phishing attacks, whether online or by phone, that can prompt users to give away their passwords. In enterprise simulations, 15 to 25 percent of users can be convinced to cough up the information.
“Passwords are basically anachronisms,” Ting says – there are much more effective and efficient ways to secure systems.
Biometric devices like fingerprint or iris scanners, near-field communications (NFC) chips and facilities cards are particularly effective. RSA tokens – devices created by a division of EMC Corp. – offer two-factor authentication. Two-factor authentication involves a combination of something the user has – in this case, a token that generates a password dependent on the time of day and area of access – and something the user knows, a personal identification number. Combining the two creates a unique access code for every time the user tries to get into the system.
Ting says that with the ubiquity of mobile devices, wearable security technology is evolving, and beaconing technology, which detects and communicates with mobile devices, can provide “geofencing” security; only greenlit devices in the proximity of the systems can allow access.
In 2006, Mackenzie Health introduced Imprivata OneSign to enable single sign-on (SSO). SSO provides a persistent login, verified by a biometric device (in Mackenzie’s case, a fingerprint reader) or network password that provides access to any application without having to login again.
“Imprivata was chosen at the time because it was an easy system to implement, along with a great interface to profile applications for SSO with minimal programming skills required,” Ranieri says. “It also provided advanced features that are integral in assisting with SSO compliance.”
Patient information in hospital, LTC centres and clinics is always at risk if a user leaves a device unattended while still logged in. In the worst case scenario, anyone can come by, peer through records and even make changes, if they so desire. And in subsequent audits, the activity will show up as the absentee user.
Some users may walk away from a monitor without logging out so they won’t have to spend time logging back in.
Imprivata has produced a nice solution to this problem. With its Tap and Go technology, users can log into one computer with their access badges and a four-digit PIN. If the user moves to another device in the hospital, he simply taps the desktop, and the current state of the original computer moves to the new screen. Users have to reprise their PIN login every eight hours.
Mackenzie Health will be implementing Tap and Go in November. “This saves valuable time as staff don’t need to wait for their profiles to load, nor do they have to log into each application again and pull up the correct patient information,” says Ranieri. Clinicians are spending less time on authentication, in this way, and more time on patient care.