Workarounds to computer access in healthcare are sufficiently common that they often go unnoticed. Clinicians focus on patient care, not cybersecurity. We argue and demonstrate that understanding workarounds to healthcare workers’ computer access requires not only analyses of computer rules, but also interviews and observations with clinicians. In addition, we illustrate the value of shadowing clinicians and conducing focus groups to understand their motivations and tradeoffs for circumvention. Ethnographic investigation of the medical workplace emerges as a critical method of research because in the inevitable conflict between even well-intended people versus the machines, it’s the people who are the more creative, flexible, and motivated. We conducted interviews and observations with hundreds of medical workers and with 19 cybersecurity experts, CIOs, CMIOs, CTO, and IT workers to obtain their perceptions of computer security. We also shadowed clinicians as they worked. We present dozens of ways workers ingeniously circumvent security rules. The clinicians we studied were not “black hat” hackers, but just professionals seeking to accomplish their work despite the security technologies and regulations.
Everyone in tech assumes that clinicians are resistant to tech. I’m here to tell you that tech is significantly more resistant to or at least ignorant of the needs of clinicians than the other way around. Clinicians have just given up on tech and found ways to deal with it.
Eh, it’s a mixed bag. I’m doing some automation for GP practices and I’ve seen the whole spectrum. There are “please don’t make me touch a computer” people as well as “there’s this cool SaaS thing we should implement” people. At a hospital level though, things often work closer to the corp idea - people who decide the tech don’t use the tech, with all the fun that entails.
Most of the problems, in my experience in (US) health tech, boil down to one of:
Though there absolutely are clinicians who are just luddite-ish, too.
For auth in itself, I wonder how hard/easy it would be to set something up with smart cards, so you could just touch your ID card and have the “right” lookup happen in one way or another. Healthcare-focused password management?
I have no idea how you deal with the de-auth problem short of redesigning software to make it more obvious what you’re doing or outright having people walk around with devices (which seems… impractical?)
My general feeling is if you don’t know, at least think about what you would do with, like, paper, and see how hard you could emulate that. But this is clearly a huge problem from these interviews.