- John D. Halamka, MD and CIO of Beth Israel Deaconess Medical Center (BIDMC), published two recent blog posts detailing some unintended results of frequently changing passwords and some examples of where healthcare IT has missed the boat on other industries’ innovation.
In his post yesterday, Halamka was able to get feedback from CIO peers on how often they prefer to change passwords. While most security experts said that 90 days is a good password expiration limit, some organizations’ CIOs said they change theirs anywhere between three, 4.5, six and nine months. This information led Halamka to ask whether changing passwords actually makes data more secure and whether users care about these frequent changes. Creating new passwords frequently may lessen short-term risk, but can lead to employees physically writing them down on paper and exposing them to other healthcare staff.
And Halamka offered this scenario to illustrate some of the user challenges associated with changing passwords:
- You change your password via a desktop application
- Your iPhone and iPad try to synch email before you can change the password on them
- Your account is locked out for 20 minutes
- You try to change your password on your mobile devices but you cannot because of the lock out
- You call the IS help desk and they remove the account lock but you spent two hours trying to change the password on all your mobile devices before the account is locked again, calling the help desk several times.
I’m sure there is an ideal way to do this i.e. turn off all cellular and network connections on your mobile devices and change your password via a desktop application. Then, change them on your mobile devices before re-implementing wireless network connections.
In today’s post, Halamka discussed technologies and practices that haven’t been maximized in healthcare yet, but have proven to be useful in other settings:
Application security testing - Vendor applications including those with FDA 510k approval may have security vulnerabilities. Testing third party products with source code analysis tools can find defects that are missed by traditional vulnerability scanning software. Related to application testing is third party vendor management. Testing and verifying the security of cloud hosted service providers and business associates is becoming a best practice.
Data Loss Prevention (DLP) - Although many healthcare organizations have strict policies on the use of email, social networking, cloud storage, remote access, and mobile devices, it’s increasingly import to have technology in place that enforces policies, preventing users from violating policy by sending data to non-secured locations i.e. sending patient information to a referring clinician who uses Gmail. Many vendors offer appliances that quarantine, notify, restrict, and manage the flow of email containing person identified information/protected healthcare information. Related to DLP is a strategy to prevent use of unencrypted storage devices – thumb drives, DVDs, CDs etc…
Adaptive authentication – Critical applications, including email, enterprise resource planning , and clinical applications deserve increased authentication rigor. For example, if a user is not typically outside the US and suddenly logs in from an unexpected location, then the user should be challenged with an additional factor. Approaches could include a secret question or a one-time PIN code sent to a known cell phone. Such applications can also perform a risk analysis of authentication events to detect anomalies, including authentication events using compromised accounts and suspect IP addresses.
This list underscores the comments Dr. Farzad Mostashari, National Coordinator for Health Information Technology, made in last week’s Tiger Team meeting that the gap between consumer technology and healthcare IT shouldn’t be as wide as it is. These are just a few approaches that could be taken to improve health IT security and make it more efficient, but they are obviously just the tip of the iceberg when it comes to the need for healthcare innovation.