Authentication for the ridiculously rushed

“Code Blue! Code Blue!”  A call goes out to the local nurse’s station.

While the Code Blue Team is paged, a nurse is instantly through the door and a choreographed dance of ordered chaos ensues as the first responders run through the steps of the immediate action procedures and then give way to the specialist team when they arrive. These highly trained professionals work in tandem where seconds count in the fight to save your life. Emergency situations aside, the average physician sees approximately 19 patients per day and each one may involve logging in to and entering information into one to five systems.

There are many industries where people routinely work at a pace that barely offers time to breathe. This article applies to many industries, but I am going to use hospitals for my example as most of us have been in one (or at least seen one on TV).

Physicians need quick and complete access to appropriate medical information about you to do their job, and they need that same kind of information about the person in the next room and the room after that. As they diagnose each person they need to put that information into your Electronic Medical Record. When they find an interesting case that might help other physicians, they may ask your permission to collect some of that data to be used in a research study, and that information may need to be entered into a new system.

Physicians and nurses are constantly moving from room to room and from computer to computer, entering information into different systems all day. This information – your personal medical information – is highly sensitive and can be valuable to the bad guys. The privacy and security of personally identifiable medical information is considered very important and such data is highly regulated in the U.S. and many other countries across the globe. Medical professional in the U.S. are held to privacy and security standards by the Health Insurance Portability and Accessibility Act (HIPAA).

[ Security Challenges of Electronic Medical Records ]

So we as security professionals need to understand the conflicting business needs here: The need for rapid and easy access to information for the Medical Care personnel is in potential opposition to the administrative needs of the clinic or hospital to ensure the security and privacy of that information in compliance with federal regulation. We need to find solutions that meet both of those needs.

Traditionally the security needs have trumped the ease of access needs when systems are being designed. Systems are typically designed to require each person to log in when they arrive in the room. This takes time; if medical doctors have to do this every time they walk into a room, it takes away a large proportion of their day. The solution developed by medical professionals to get around this problem often revolves around having a person log onto every computer and never log out, allowing other people use the computer throughout the day. This is a violation of how most attorneys interpret the HIPPA requirements {§ 164.308(a)(5)(ii)(C) requires audit trails}, but people do it anyway. Regardless of how a system is designed, practical needs almost always trump the well-meaning security and privacy requirements.

The primary issue leading to this behavior is that this form of security is not convenient; it takes time they do not have. They can either enter passwords or they can have time at the end of the day to see a few more patients.

But just because it has been that way does not mean it needs to remain that way.  Enter modern authentication options:

These days we can help solve this by introducing systems that allow for virtually instant access. Among other options, there are near-field communication devices, cards that people can wear on their belts and simply tap to a sensor to be automatically logged in. The system could further be designed to automatically look up the record of the person in that room, allowing the physician to log in and have access to the relevant data in the time that it takes him or her to walk into the room and say hello. 

Such approaches overturn the objection that it takes too long to use the system properly: every person could reasonably log in with their own credentials. This would put the privacy nightmare of never knowing who is accessing information in the system behind us. 

[ Is health care security in intensive care? ]

Some people argue that this is less secure because the only thing needed for someone to gain access to the system is to steal that badge. I argue that the same is true about a password. We all know that there are a million very successful ways to steal passwords. But unlike a password, such a badge cannot be used from across the globe (if the system is properly designed and configured). Someone has to physically visit your facility with the stolen badge in order to steal information. Yes, it can still happen, but you have reduced the total number of people who can compromise your system from the nefarious fraction of 7,200,000,000 people down to the nefarious fraction of whoever happens to be in your city or town.

There are a lot of new capabilities in the world. We need to be rethinking our old approaches, putting traditional solutions on the table for discussion and trying to use methods to solve the deeper business and operational problems. We need to be thinking about how we can solve these problems on behalf of our clients and building toward world with more automatic and Convenient Security.

Copyright © 2015 IDG Communications, Inc.

8 pitfalls that undermine security program success