Study slams hospitals for lax use of passwords

New research is raising serious questions about the cybersecurity practices of hospitals. 

The study, conducted by Ross Koppel of the Univerisity of Pennsylvania, found that sticky notes with passwords were prevalent in hospitals; that employees shared passwords; that keypad-protected doors to medical supply rooms often had passwords written on them; and that clinicians left computers logged on as a courtesy to whoever needed to use them next. 


Those practices could lead not to unauthorized access to patient records, treatment plans, facilities and drugs. 

The study added that while hospital staff recognize the danger of lax security, their systems may be too cumbersome to use in a timely enough fashion to save patient lives. 

“The problem is the workers humans who build, use, and maintain the systems — often Chief Information or Technology Officers (CIOs/CTOs), Chief Medical Informatics Officers (CMIOs), sometimes cybersecurity experts, and often just IT personnel — did not sufficiently consider the actual clinical workflow,” the report said.

The study also identified problematic aspects of the workflow for doctors.

“At a large city hospital, death certificates require the doctor’s digital thumbprint. However, only one of the doctors has thumbs that can be read by the digital reader,” said the study. “Consequently, only that one doctor signs all of the death certificates, no matter whose patient the deceased was.”

Weak security at hospitals has a plethora of legal implications, including when it comes to compliance with federal regulations. The security problems could also facilitate identity theft. 

A 2014 Health and Human Services report found that federal testing standards were too lax on important issues like password complexity and training.