Skip to main content

Obfuscate, My Log In, Mate!

Healthcare Password Survey


I conducted a small survey last month. It's been quite revealing; the results aren't a surprise, but the scale of some of the biases revealed are. I'd love to redo this properly - countrywide - though I doubt that there would be that much of a difference. 

Total responses were 207. Here is the breakdown - 

Do you use least one username and password to access systems at your work?


Yes20296.7%
No52.4%
The vast majority of healthcare workers obviously need access to computer systems as part of their jobs. Everything is becoming electronic, or is already (or should be!). 


Number of Username-Password combinations?


1104.8%
2-48741.6%
5-75928.2%
8-102311%
Over 10209.6%




This is an interesting result - 48.8% of responders have 5 or more username-password combinations to remember and almost 20% have 8 or more! That's a lot of combinations to remember, even for one person. Extrapolated over the entire NHS that's 10s of 1000s of people having to remember masses of username-password combinations. 

Why is this the case? It's simple; there are multiple systems within institutions, from multiple sources, that do not communicate with one another. Integration engines are a big thing in the NHS. 

Do your username and/or passwords have to be in specific formats?

E.g. a password that must be 6 characters long with at least one letter, one uppercase letter and one number.

Yes19090.9%
No125.7%












The surprise here is that 12 people don't have to have specifically formatted credentials. Formatted credentials don't make your password particularly safe though. They do make them harder to remember. One can understand why formatting like this was invented - to make it harder for other people to guess/work out your password. In times when it's much more likely that a computer will be used to brute force a password this makes little sense though. I defer to XKCD for a most elegant explanation. 




Do your passwords have expiry dates?

Yes19291.9%
No104.8%












Expiry dates are important because if you have difficult to remember passwords (because of the format requirements) that also need to be changed from time to time you are far more likely to forget your password. This is common sense, but then one could argue that changing passwords regularly for security is too. 

The Playing Field

The data so far has established that the vast majority of respondents have multiple passwords that must be reset periodically and which have specific format requirements. Without venturing any further one might like to consider the potential implications of such a system. What pitfalls might such systems present to an individual user, what implications might that have for easy (or not) of access, for security and for patient care?

Have you ever had trouble getting access to a system you needed because of a username or password problem?

Yes18689%
No167.7%










Have you ever had problems resetting your password?

Yes15473.7%
No4823%












It should come as no surprise that many respondents have had difficulties access systems because of the previously mentioned set-up. What is more concerning is the proportion - almost 90%. This wouldn't be an issue however, if approximately three quarters of respondents hadn't had problems resetting their passwords. With so many passwords with rules to remember one could anticipate that there would be password loss/forgetting and in light of this the reset process should be easy. Resetting passwords for most online services is relatively painless so why not in healthcare? 

Have you ever had problems remembering your password specifically because you have so many different usernames and passwords to remember?

Yes18588.5%
No178.1%











I include this for completeness as I've alluded to it already; it's the logical conclusion. This is a staggering proportion and illustrates a huge part of the problem without need for elaboration. 

There are too many username-password combinations to remember. 

 The intention is to increase security. However...

Have you ever recorded your passwords in order to not forget them?

Yes15172.2%
No5124.4%











Recording your passwords arguably makes the systems less secure. Where are they being stored? There are several "password locker" apps out there for smartphones such as Lastpass and Keeper but I didn't ask where people were storing their passwords. If it's anywhere but a locker app, like in a notebook or a diary, it most certainly is less secure. 

Have you ever used someone else's login because you needed access?

Yes10952.2%
No9344.5%












This is the most surprising result in the entire survey. Using another person's login, or giving someone else your login details/allowing them to you use your login, is against most institution's policies and is likely a disciplinary offence. The survey was completely anonymous though and part of the reason was to get open responses like this. 

Sharing login details is another breach of security protocols too. People must need to do it. If this were for less crucial information that don't affect patient's safety it would be unacceptable but most clinicians will be able to image situations where patient safety is forefront in consideration, and failed logins appear like barriers to that. 

Have you ever felt that a login failure had the potential to impact negatively on patient care?
Here is the proof of my previous conjecture. The majority of respondents felt that login failure had the potential to adversely affect patient care. There are any number of reasons this may be so - no access to results, prescribing, ordering tests, etc. 

This is the takeaway message of this entire survey though - 

A system that requires multiple passwords with different formatting rules and expiry dates is potentially unsafe at best and dangerous at worst. 


Other Access

To round things off I asked about logins for work related websites or services that respondents might need access to. With people already having difficulties with the number of work passwords it's no surprise to see those difficulties extend outside.

Do you have logins for work related websites or services?




Do you ever have difficulty remembering your logins/difficulties logging in to work related websites and services?




Labels:

Comments

Post a Comment

Popular posts from this blog

DAS App v2.0.2 - out now for iOS and Android

Minor Update A video link has been added for Scalpel cricothyroidotomy. Find it at the end of the Failed intubation, failed ventilation algorithm. The support site is here:  DAS App support site Get it for your iOS or Android device, for free Download for iOS                           Download for Android
Post a Comment
Read more

Universal Anaesthetic Chart

We're probably never going to get a true Universal Anaesthetic Chart because of differences in standards across countries, but we could have a National Chart in the same way as Wales has had the All Wales Drug Chart for several years. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3477322/ In particular it has been suggested that " The movement of doctors between hospitals within the NHS is now substantial and hospital-based non-medical prescribers are also beginning to move around the UK. This only makes an even stronger case for moving from independently developed prescription charts to a common approach."   http://www.aomrc.org.uk/projects/standards-in-patient-prescription-charts.html There is a group working on standardising the nomenclature of Anaesthetic Charts for electronic records and compatibility with HL7 ( http://www.hl7.org.uk/ ) and so on. In the meantime I've been developing something in conjunction with Dr Richard Griffiths of the AAGBI . Towar
Post a Comment
Read more