Many of these irritating security measures are a waste of time
This was featured in an article by Mark Pothier from the Boston Globe – “Please Do Not Change Your Password” and was featured in an NPR news piece on All Things Considered: Study: Computer Security Measures Not All Worth It. As usual with security it is a cost benefit trade off and what is deemed appropriate in one setting is maybe not the case in another. By the study calculation that one minute of collective user time fighting with a new password or alternative password requirements equals about $16 Billion per year!
In health care we manage and maintain confidential information and it does need to be secured but mandated password requirements that remain totally inconsistent across different applications and tools (and in some cases inconsistent within products) places barriers and in particular time loss on an already time challenged set of clinical workers. As the renown security expert Bruce Schneier commented on a failure of employees to adhere to strict computer polices
Schneier speculated that the employees knew following those policies would cut into their work time
And so it is in healthcare. Add complexity and mandated changes with specific rules for password construction (which btw often times are a mystery and unavailable to the user until *after* they have tried to create a password) and you have a recipe for insecure systems. Staff get into trouble for not completing work and while security breaches are a problem they do not represent the bigger risk
Failure to get work done is a bigger risk and outweighs any unspecified consequences of ignoring a security rule or three
Lets hope Healthcare IT folks take note and rather than ramming down security requirements they approach the concept with more flexibility and open mindedness