Finally some sanity in what has become a ridiculous storm of challenging and sometimes impossible hurdles. Microsoft Research has validated what I am betting the vast majority of users know already that
In health care we manage and maintain confidential information and it does need to be secured but mandated password requirements that remain totally inconsistent across different applications and tools (and in some cases inconsistent within products) places barriers and in particular time loss on an already time challenged set of clinical workers. As the renown security expert Bruce Schneier commented on a failure of employees to adhere to strict computer polices
Many of these irritating security measures are a waste of timeThis was featured in an article by Mark Pothier from the Boston Globe - "Please Do Not Change Your Password" and was featured in an NPR news piece on All Things Considered: Study: Computer Security Measures Not All Worth It. As usual with security it is a cost benefit trade off and what is deemed appropriate in one setting is maybe not the case in another. By the study calculation that one minute of collective user time fighting with a new password or alternative password requirements equals about $16 Billion per year!
In health care we manage and maintain confidential information and it does need to be secured but mandated password requirements that remain totally inconsistent across different applications and tools (and in some cases inconsistent within products) places barriers and in particular time loss on an already time challenged set of clinical workers. As the renown security expert Bruce Schneier commented on a failure of employees to adhere to strict computer polices
Schneier speculated that the employees knew following those policies would cut into their work timeAnd so it is in healthcare. Add complexity and mandated changes with specific rules for password construction (which btw often times are a mystery and unavailable to the user until *after* they have tried to create a password) and you have a recipe for insecure systems. Staff get into trouble for not completing work and while security breaches are a problem they do not represent the bigger risk
Failure to get work done is a bigger risk and outweighs any unspecified consequences of ignoring a security rule or threeLets hope Healthcare IT folks take note and rather than ramming down security requirements they approach the concept with more flexibility and open mindedness