Living with Insecurity Security Dilemma: Healthcare Clinicians at Work While healthcare organizations strive to increase control of network access, clinicians need unencumbered access to data. Clinicians make unconscious decisions daily to comply with security measures or to live with a certain level of insecurity to get their job done. I ROSA R. n a crowded conference room, a group of system important piece HECKLE engineers, hospital clinicians, and various staf of a clinician’s MITRE sat intently listening to a team of vendors extol toolset, it’s not the virtues of their single sign-on (SSO) technol- the focus of his ogy. Each vendor promised to deliver an authentica- or her mindset. This is particularly true for security tion system that would improve usability for multiple systems. Though the Health Insurance Portability and system users, increase compliance with policies and Accountability Act (HIPAA) mandates strict data se- government mandates, and help curb maintenance curity, a patient’s well-being might depend on quick costs. From a technical perspective, the technology and easy access to information.3 Clinicians understand was a good it for the infrastructure and the purpose at the importance of security, but it plays second string hand. From a management perspective, it it the secu- to convenience. On a daily basis, they decide between rity requirements and organizational policies. doing what is necessary to comply with a security However, the clinicians weren’t so sure. They were measure or living with a certain level of insecurity to relecting on the last implementation to enhance secu- get the job done. The unanticipated consequences of rity: an electronic medication administration record these decisions can lead to suboptimal outcomes. (MAR) system that used bar coding. Each hospital pa- To address this issue, some research strongly rec- tient received a bar-coded identiication bracelet. When ommends taking a holistic sociotechnical perspective administering medications, the protocol was for nurses in security system design.4 This is not a new idea, but to scan a patient’s bracelet and then scan the medica- exactly what does it mean? tion being administered. However, on occasion, nurses A 15-month ethnographic ield study I conducted had problems scanning the bracelet or the medication of an SSO system implementation at a regional hospi- label. As a workaround, the nurses placed a copy of the tal sheds some light on the issue. Although my study patient’s bar code on their clipboard. In tight times or focused on developing a deeper understanding of the when they had diiculty scanning a bracelet, they sim- technical design and implementation issues of an SSO ply scanned the bar code from the clipboard rather than mechanism, it also provided a irsthand view of how the bracelet. This let them continue working without modern healthcare work is performed in an environ- wasting time, but it bypassed the security mechanism. ment in which the clinicians must navigate between As this scenario shows, a clinical environment poses adhering to security protocols and quick accessibility. many implementation challenges that aren’t apparent in other industries.1,2 The organizational structure, Network-Level Authentication culture, and critical work make individual account- Recent government regulations are pressuring health- ability crucial. Although technology has become an care organizations to increase IT usage and governance 14 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES 1540-7993/11/$26.00 © 2011 IEEE NOVEMBER/DECEMBER 2011  Living with Insecurity programs and to demonstrate adequate security audit into the user and development experiences. For ex- processes. Current SSO technologies have emerged ample, because the staf thought I was an MIS em- as an efective means of addressing authentication ployee (rather than a researcher), they often expressed challenges—a critical component of IT governance. complaints about the SSO transition directly to me— As its name implies, single sign-on lets users log in to if they were unhappy (and many of them were), they a network once and then navigate through the range let me know! of their authorized applications seamlessly, without This organization was a general hospital (GH). It needing to reenter their credentials for each applica- ranked slightly higher than the mean of all hospitals in tion. Before SSO, logging onto the network was done its geographic region and throughout the US accord- in one of two ways: ing to the American Hospital Association’s standard measurement criteria of number of beds, discharges, • everyone used a generic ID, or and inpatient days. GH’s technology use was rated • the irst person to turn the computer on used his or “moderate.” her individual ID to log on to the network; once the network was up, users would authenticate to the SSO Case Study Observations speciic application they were accessing if it required The study focused on the implementation environ- authentication. ment, system users, and issues that emerged during the project’s execution. With SSO, authentication control is on the net- work level. Users irst log on to the network with Policies and Programs their unique individual ID, then all the SSO-enabled The CIO’s directive at the project’s start was that ev- applications for which the user has access rights are eryone would “authenticate to the network with a available without further authentication. unique individual identiication” and that SSO could The organization I studied subscribed to the belief deliver the functionality for it. From the MIS team’s that implementing SSO would improve security by perspective, implementing SSO would have a positive reducing authentication complexity for end users and efect on the organization and its ability to improve password management for the management informa- security and meet regulatory compliance, particularly tion system (MIS). Moreover, it saw the implemen- for auditing. In this case, the team accepted the ven- tation as a simple back-end technology change that dor’s technology design “as is,” expecting to imple- would appear seamless to users. The staf was already ment it with minimal adjustments. accustomed to authentication for access to applica- Policies and compliance programs are an important tions; a move to SSO would seem to add no new bur- part of GH’s environment. The organization deems dens to their daily routine. conidentiality of information to be critical and holds individuals accountable for compliance as it relates to SSO Case Study Design their responsibilities. It maintains a comprehensive I studied the entire SSO system development life cycle corporate compliance program, code of ethics, and over the 15-month period, from analysis (including procedures to ensure individual compliance. For ex- vendor selection) through implementation. My pri- ample, each GH system user signs annual appropriate mary data collection techniques were ethnographi- use and conidentiality of information agreements. cally informed—participant observation, contextual GH’s Information Security Program Policy states, “In interviews, meetings, and document review. These accordance with HIPAA compliance requirements, methods let me capture the interplay between formal the hospital provides each computer system user with a and informal systems.5 The strength of observation unique ‘user identity,’ and system users are not permit- is the ability to discover discrepancies between what ted to share and/or disclose their user identity.” This participants say (and often believe) should happen and stance is reiterated in the HIPAA training module, what actually does happen. The observer can also dif- which clinicians must complete before they’re allowed ferentiate between formal work practices (what policy to work at GH: “Do not leave yourself signed on to requires) and informal or routine work practice (what a computer and then walk away without signing of. actually happens to complete a task). You are responsible for any activity that occurs under I spent a large portion of my time with the MIS your user identity.… Compliance with the law is a core team in meetings for requirements, design, training value of [GH] and a serious responsibility of all person- and enrollment, and implementation. Over the course nel.” The policy also states that the organization will of the project, my role shifted from observer to partic- audit, monitor, and build internal reviews into daily ipant observer during the enrollment and actual roll- activities to ensure compliance. out. Being a participant observer let me delve deeper GH clinicians understand the need for patient pri- www.computer.org/security 15  Living with Insecurity vacy and the importance of complying with security Haphazard Security measures. They also know the ramiications of not Cognizant of the potential insecurities in their envi- following policy. (During interviews, several of them ronment, the clinicians practiced haphazard security. referred to a nurse who was let go for inappropriate For example, physical security controls in clinical areas were limited. Computers were out in the open for any The complex environment creates novel staf member to use, so authentication was critical. However, as a workaround to constantly authenticat- circumstances with each passing moment, and ing and then logging of, only to re-authenticate again a few minutes later, the nursing staf would use more reality doesn’t always support strong compliance, physical controls. For example, many nurses would lower their computer screens (so the content could not education programs, or clinicians’ good intentions. easily be viewed) before walking away rather than log- ging of. To secure the computers on wheels (COWs), data access.) Furthermore, they used authentication as they would place personal items on them, such as part of their daily routine to access patient data, medi- sweaters or large signs with their names on them. The cal supplies, medication, and myriad other things. assumption was that any staf member would know not In short, management and the MIS team thought to use a computer that was in use. Nurses would bring the organization was well poised to implement the COWs with them to the nurses’ lounge or squeeze technology. The clinicians, however, were sending them as best they could into wherever they went. mixed signals. When asked if they were concerned about some- one other than staf reading patient data that was left The Reality of the Environment up on the screen when they walked away, they said, These mixed signals stemmed from a disconnect be- “Someone would really have to know what they were tween policy and clinical work practices. “The easiest looking for, for them to understand what’s on here,” way for clinicians to work is probably not quite the and, “You would have to be real familiar how to work way policy says it is working,” said one nurse educa- Meditech to be able to understand anything.” Another tor. “The nurses’ irst and foremost task is their pa- stated, “No one can really read what’s on here unless tients’ care. That is what’s on their minds.” they come up real close to [the computer].” The complex environment creates novel cir- Clinicians also scribbled passwords on hidden piec- cumstances with each passing moment, and reality es of paper. Several said they tried to keep the same doesn’t always support strong compliance, education password for all the access controls they would need programs, or clinicians’ good intentions. Clinicians’ to authenticate to, but found it diicult because each work is nomadic, interrupted, and very busy. They’re one expired at a diferent time. In addition, when they constantly in motion. The end of a clinician’s work- could, they reverted to methods that didn’t require day isn’t delineated by the passage of time, but by the security. For example, staf members had to report completion of any and all tasks regarding the patients their time each week and could do this by phone or for whom he or she is accountable. an online application. Many clinicians said they did In addition, the computer has become an essential it by phone because it was easier: “We don’t need a tool in everyday clinical tasks, so when the technol- password for it if we do it over the phone.” ogy breaks or slows down (the battery dies, the sys- In this professionally structured organization, pro- tem locks up, the scanner doesn’t work, a password is fessional ethics and etiquette provided the authorita- incorrect or has expired), it can be a great hindrance. tive voice that guided behaviors. Physicians aren’t as In spite of technology diiculties, the clinicians are concerned about security with respect to patient pri- resourceful in keeping tasks on track. They create vacy because they feel that patients are already pro- workarounds to facilitate their jobs. tected and practitioners are already committed to An example is the workaround developed for the protecting patient conidentiality.6 It wasn’t unusual MAR bar-coding system. Sporadically, the scanners to see one physician leave an application open for an- couldn’t read bar codes on the circular surfaces of other physician. It was done as a professional courtesy. medicine vials or patients’ wristbands. As one nurse admitted, “We’re supposed to go and get the patient Introducing SSO Technology a new arm band, but when it’s really busy here, forget The clinicians did what they needed to get their work that.” This attitude wasn’t due to insubordination, but done, addressing security in their own way. From their to policies that were ill deined for the work environ- perspective, they were vigilant and requiring them to ment. Compliance constraints sometimes have little use SSO was intrusive. With SSO, it was imperative logical connection to the actual work. that users log of; failure to do so would create au- 16 IEEE SECURITY & PRIVACY NOVEMBER/DECEMBER 2011  Living with Insecurity diting vulnerabilities. Clinicians were aware of the the importance of logging of, they increased users’ unstable nature of their environment—it was diicult understanding of the ramiications of not logging to adhere to the logging-of policy at all times. They of. This, however, was followed by complaints and became concerned about their privacy as clinicians, requests from various clinical departments to be ex- with access rights to patient data and, in the case of cluded from the implementation. supervisors, to personnel data. They began asking for exclusion from the implementation. Resistance was so Performing the Pilot Study strong that the MIS team had to stop the implementa- The resistance voiced in training reairmed the cli- tion and address the issues before moving forward in nicians’ uneasiness with the implementation in their the clinical areas. environment. The MIS team therefore decided to im- The original implementation schedule relected plement a pilot project in one clinical area to discover the MIS team’s perspective of SSO as a quick transfer the pain points and address them before a full-scale from one authentication mechanism to another. They implementation. The pilot let the team observe the use planned to complete the implementation throughout in situ, including workarounds and unintended conse- the organization in six months. However, this sched- quences. They saw the interaction of the technology ule changed as the complexities of the implementation with the users’ work practices and informal behaviors began to unfold. The organization discovered that it and were able to address some problems immediately. needed to account for the instability of the environment For example, they implemented the Ctrl+Alt+L func- before an efective implementation could take place. tion key on the COWs to ensure quick logof, as the nurses requested. However, they didn’t implement Recognizing and the function on the special-purpose computers in the Understanding Behavior nurses’ station. They understood these computers to The organization had gathered system requirements be for monitoring only and not for general use. In re- for security needs, technical infrastructure needs, ality, the nurses would use them as they needed them. and usability; however, it was human behavior that Because the Ctrl+Alt+L wasn’t conigured on the was causing problems. While the MIS was relying special-purpose computers, nurses who thought they on organizational policies to guide behavior, the ten- were logging of using the Ctrl+Alt+L key actually sion between current behavior and policy require- remained logged on the network. Once the MIS team ments was continually played out in the workplace. observed this behavior, they could decide to enforce Departmental tours revealed discrepancies that, once the policy that reserved the special-purpose comput- acknowledged and documented, could be addressed. ers for monitoring or to adjust to the informal practice For example, the MIS team created the Ctrl+Alt+L and place the function on these computers also. function key to let nurses log of in one keystroke Trust is a big part of any security program,8 and an while saving their work. undertone of mistrust existed in the clinician’s relation to MIS personnel and management. By being present Aligning Mental Models during the pilot rollout, the MIS team appeased us- The shift from application- to network-level authen- ers who vented their opinions about the organization tication was a paradigm shift that users had to under- being mistrustful and overbearing. Their presence stand—not in terms of logging on, but in terms of also reduced frustration and the time any individual logging of. With SSO, exiting the application doesn’t spent in trying to transition to SSO. In essence, the log the user of the network; it just exits the applica- pilot provided a staged transition that reduced the cli- tion. Consistent logof behavior was critical to SSO’s nicians’ anxiety and set a tone of understanding, co- success, but it wasn’t presented as such during the im- operation, and trust. plementation or training. The users’ mental model of the system didn’t match the way it actually worked, Managing Insecurity yet accurate mental models of a system are important From the observations, we can see that absolute securi- to completing a task correctly.7 ty isn’t possible in the GH environment and an efective During the drop-in training session, at least 60 security outcome requires managing the insecurities. percent of the individuals got up to leave with- out logging of the network. One person ofered System Design Implications her workstation to the next person waiting, say- GH viewed the SSO implementation as a win-win ing, “You can use this one; it’s already logged on.” for both the users and the organization, but the mis- Recognizing this problem, the MIS team explained match between the formal work policies and protocols SSO and its implications in more detail in subse- and the realities of routine clinical work requires the quent training and enrollment sessions. By stressing MIS team to act as broker in security implementation. www.computer.org/security 17  Living with Insecurity They’re taking top-down organizational policies and cept that staf can’t always follow policy 100 percent, working through the technology to make them a real- and systems can’t be 100 percent secure for quality ity in the work environment. multipatient care. However, they’re caught in a conundrum: are they Technology’s increased pervasiveness in daily work routines creates a challenge for the clinician as well as In clinical areas, management must accept that the organization. Formal and informal work practices in relation to computer usage vary widely and aren’t staff can’t always follow policy 100 percent, and compatible from one environment to the next. Or- ganizations must irst stabilize discrepancies between systems can’t be 100 percent secure for quality policy and practice. This doesn’t necessarily mean forcibly aligning the two, but rather acknowledging multipatient care. a misalignment and addressing it. The idea that tech- nology always solves the problem is a misconception, to design the SSO system to correspond to organiza- particularly with security implementations, which of- tional policy or to it with the actual work practices? ten create more problems than they’re trying to solve. Understanding the tension created by this mismatch Sometimes we need to learn to live with insecurity requires relecting not only on the tasks, activities, and and simply manage the risks. Managing a certain level worklow that occur in the cultural framework and so- of insecurity within the environmental constraints cial context but also on the practices and reasoning that can be more efective than deploying expensive or in- emerge when the technology is used in a particular vasive security mechanisms. setting.9 This interaction or behavior must be observed Though government mandates for greater security and documented to inform system design. might seem to help improve patient privacy, they can, Even if the requirements and behaviors are cap- in fact, present unachievable constraints. In the GH tured appropriately, a user’s understanding of how the case study, SSO was part of a larger risk management system works must relect how it actually works. If program, one goal of which was to better meet regu- not, vulnerabilities or unintended consequences arise, latory compliance standards for auditing. However, in as they did here in relation to SSO authentication. this environment, if SSO isn’t used properly, whether Comprehensive understanding of the total security intentionally or unintentionally due to contextual cir- environment was key. cumstances, it can compromise the ability to deter- In most system implementations, it’s impossible to mine the actual user. The computer can be uniquely fully predict user behavior prior to the actual imple- identiied by the IP address, and the individual logged mentation, so it’s important to have a mitigation plan. on to the network can be uniquely identiied, but the Users create security system workarounds in an efort person actually using the computer might not be the to be more eicient. As this case study showed, what person logged on to the network. Although policies users say they do and what they actually do can be can address this problem, the work environment is very diferent. In addition, replicating a user’s envi- such that policies aren’t always followed. ronment to test for security compliance is diicult.10 But is there a legal standard that must be reached, It’s also diicult to make the value proposition clear and does this model meet it? If you can’t prove who to users in a forged environment. In this case study, a actually accessed a particular record to any legal stan- pilot implementation with physical oversight was ef- dard, will it meet regulatory compliance? If it can’t fective in viewing actual behavior in the contextual meet regulatory compliance, is it worth the efort and situations, causal relations, and unforeseen and unin- cost to implement? On the other hand, if the purpose tended consequences as they emerged. From the pilot is to show due diligence on the organization’s part in observations, the MIS team modiied the system to providing improved auditing control, then perhaps it more successfully incorporate informal work behav- will meet that objective, but at what cost? iors while maintaining the system’s intended purpose. Organizational Implications In the GH setting, the SSO mechanism’s failure to function as intended indicated a problem with imposi- T his study provides lessons relevant to other complex system implementations. Technology users have become adept at living with insecurity, doing what tion of the mechanism, not with the staf’s compliance. they must do to get their work done, even if it means In choosing SSO, the organization took a technologi- circumventing security. This suggests that we need to cal deterministic view of the implementation without become more comfortable with uncertainty and ambi- considering the unique characteristics of the clinical guity while refocusing the strategy to identify and man- departments. In clinical areas, management must ac- age risk rather than locking down the environment. 18 IEEE SECURITY & PRIVACY NOVEMBER/DECEMBER 2011  Living with Insecurity Acknowledgments 7. D. Norman, The Design of Everyday Things, Doubleday/ The author’s ailiation with Mitre is provided for identii- Currency, 1988. cation purposes only, and is not intended to convey or im- 8. A. Jøsang et al., “Trust Requirements in Identity Man- ply Mitre’s concurrence with, or support for, the positions, agement,” Proc. Australasian Workshop Grid Computing opinions, or viewpoints expressed by the author. and e-Research (ACSW Frontiers 05), Australasian Com- puter Soc., 2005, pp. 99–108. References 9. M. Berg, “Implementing Information Systems in Health 1. K.K. Kim and J.E. Michelman, “An Examination of Care Organizations: Myths and Challenges,” Int’l J. Factors for the Strategic Use of Information Systems in Medical Informatics, vol. 64, no. 2, 2001, pp. 143–156. the Healthcare Industry,” MIS Q., vol. 14, no. 2, 1990, 10. S. Spiekermann, J. Grossklags, and B. Berendt, “E- pp. 201–215. Privacy in 2nd Generation E-Commerce: Privacy 2. J.S. Ash and D.W. Bates, “Factors and Forces Afecting Preferences versus Actual Behavior,” Proc. 3rd ACM EHR System Adoption: Report of a 2004 ACMI Dis- Conf. Electronic Commerce (EC 01), ACM Press, 2001, cussion,” J. Am. Medical Informatics Assoc., vol. 12, no. 1, pp. 38–47. 2005, pp. 8–12. 3. R. Rada, Privacy and Health, 3rd ed., HIPPA-IT, 2005. Rosa R. Heckle is an information systems engineer at MITRE. 4. L. Yngström, “A Holistic Approach to IT Security,” Her research interests include authentication security mecha- Information Security—The Next Decade, J.H.P. Ellof and nisms, focusing on usability and organizational/individual S.H. von Solms, eds., Chapman & Hall, 1996. complexities in implementing these systems. Heckle has a PhD 5. M.Q. Patton, Qualitative Evaluation and Research Meth- in information systems from the University of Maryland, Balti- ods, Sage, 1990. more County. Contact her at rheckle@mitre.org. 6. J.K. Slutsman et al., “Health Information, the HIPAA Privacy Rule, and Health Care: What Do Physicians Selected CS articles and columns are also available for Think?,” Health Afairs, vol. 24, no. 3, 2005, p. 832. free at http://ComputingNow.computer.org. Call for Training Materials Submissions Due: 30 December 2011 Online Publication: From January 2012 IT Professional magazine seeks IT training materials for practitioners for posting on Computing Now (http://computingnow.computer.org). Speciically, we are looking for 30- to 45-minute multimedia training sessions that present procedures and strategies that address common problems faced by IT professionals around the world. Topics of interest include (but are not limited to) the following: • Cloud computing • Cybersecurity • Mobile computing • Application development • IT in emerging markets and deployment Submissions must be practical in nature; overly complex, purely research-oriented, or theoretical treatments are not appropriate. In addition, they should include one or more of the following elements: video, audio, or PowerPoint slides. Submissions deemed within scope of this project will be reviewed by members of the IT Professional editorial board and may be edited for clarity, organization, and length. Questions and Submissions For more information, contact Associate Editor in Chief San Murugesan at san1@internode.net. Upload submissions to ftp://ieeecs:beneit @ftp.computer.org/mags/incoming/ITPro/ Training_materials along with a two-page description of the session (including scope, coverage, target audience, intended beneits, and brief bio of author(s)) and send San an email (with “IT Pro training” in the subject line) that you’ve uploaded iles for review. www.computer.org/security 19