Difference between revisions of "Journal:Password compliance for PACS work stations: Implications for emergency-driven medical environments"
Shawndouglas (talk | contribs) (Created stub. Saving and adding more.) |
Shawndouglas (talk | contribs) (Saving and adding more.) |
||
| Line 37: | Line 37: | ||
There is extensive literature focusing on the effectiveness and suitability of password usage in preventing confidentiality breaches within environments such as computer security. The researchers have no knowledge of similar studies relating to the suitability of password usage within the medical environment. The aim of this article is to bring to the fore factors unique to the medical environment that argue against the direct "copy and paste" adoption of the minimum standards for effective password usage from computer security into the medical environment. | There is extensive literature focusing on the effectiveness and suitability of password usage in preventing confidentiality breaches within environments such as computer security. The researchers have no knowledge of similar studies relating to the suitability of password usage within the medical environment. The aim of this article is to bring to the fore factors unique to the medical environment that argue against the direct "copy and paste" adoption of the minimum standards for effective password usage from computer security into the medical environment. | ||
==Background== | |||
The use of passwords is ineffective in restricting access only to individuals who are authorized to access data. This popular and easy means of controlling access to data may, in fact, provide the easiest way to breach confidentiality. Information technologists insist that with proper management, passwords are an effective means of protecting the security of data. Measures include, but are not limited to, the use of strong passwords, having individual rather than shared passwords, and changing passwords on a regular basis.<ref name="PaytonMemory10">{{cite journal |title=Memory for Passwords: The Effects of Varying Number, Type, and Composition |journal=PSI CHI Journal of Psychological Research |author=Payton, L. |volume=15 |issue=4 |pages=209–13 |year=2010 |doi=10.24839/1089-4136.JN15.4.209}}</ref> | |||
Compliance with the minimum standards for effective password usage requires knowledge of and to some extent expertise in data security on the part of the healthcare provider.<ref name="WilliamsInATrust08">{{cite journal |title=In a ‘trusting’ environment, everyone is responsible for information security |journal=Information Security Technical Report |author=Williams, P.A.H. |volume=13 |issue=4 |pages=207–15 |year=2008 |doi=10.1016/j.istr.2008.10.009}}</ref> However, the responsibility to comply cannot be placed solely on the healthcare provider. Standards for effective password usage should be well accepted and applied by all users of the technology. At times, factors unique to the medical field may influence the acceptance of security measures. For instance, in a medical emergency, there may be a legitimate need to circumvent the minimum standards of effective password usage in order to save a life.<ref name="IfinedoUnder12" /><ref name="RobinsonMoral16">{{cite journal |title=Moral Distress: A Qualitative Study of Emergency Nurses |journal=Dimensions of Critical Care Nursing |author=Robinson, R. |volume=35 |issue=4 |pages=235–40 |year=2016 |doi=10.1097/DCC.0000000000000185}}</ref> It is for this reason that the contributions of both human and technical factors in normative research are noteworthy, but will never be adequate if the context in which technology is applied remains excluded. | |||
This paper draws on the assumption that the situated use of technology creates challenges to the inscribed ethics of technology use, resulting in the emergence of new ethical dilemmas. Based on this assumption, we argue that the proper management of passwords as described in the environment of computer security is not suitable to the emergency-driven medical environment. In this paper, we reflect on the research outcome of the first author’s dissertation in putting this argument forward.<ref name="MahlaolaCompliance15">{{cite |url=https://ujcontent.uj.ac.za/vital/access/manager/Repository/uj:13153 |title=Compliance of health professionals with patient confidentiality when using PACS and RIS |author=Mahlaola, T.B. |publisher=University of Johannesburg |date=20 January 2015}}</ref> | |||
==References== | ==References== | ||
Revision as of 20:30, 30 July 2018
| Full article title | Password compliance for PACS work stations: Implications for emergency-driven medical environments |
|---|---|
| Journal | South African Journal of Bioethics and Law |
| Author(s) | Mahlaola, T.B.; van Dyk, B. |
| Author affiliation(s) | University of Johannesburg |
| Year published | 2017 |
| Volume and issue | 10(2) |
| Page(s) | 62–6 |
| DOI | 10.7196/SAJBL.2017.v10i2.00600 |
| ISSN | 1999-7639 |
| Distribution license | Creative Commons Attribution-NonCommercial 4.0 International |
| Website | https://www.ajol.info/index.php/sajbl/article/view/165242 |
| Download | https://www.ajol.info/index.php/sajbl/article/download/165242/154702 (PDF) |
Abstract
Background: The effectiveness of password usage in data security remains an area of high scrutiny. Literature findings do not inspire confidence in the use of passwords. Human factors such as the acceptance of and compliance with minimum standards of data security are considered significant determinants of effective data-security practices. However, human and technical factors alone do not provide solutions if they exclude the context in which the technology is applied.
Objectives: To reflect on the outcome of a dissertation which argues that the minimum standards of effective password use prescribed by the information security sector are not suitable to the emergency-driven medical environment, and that their application as required by law raises new and unforeseen ethical dilemmas.
Method: A close-ended questionnaire, the Picture Archiving and Communication System Confidentiality Scale (PAC-CS) was used to collect quantitative data from 115 health professionals employed in both a private radiology and a hospital setting. The PACS-CS sought to explore the extent of compliance with accepted minimum standards of effective password usage.
Results: The percentage compliance with minimum standards was calculated. A significant statistical difference (p<0.05) between the expected and observed data-security practices was recorded.
Conclusion: The study interrogates the suitability of adherence to minimum standards of effective password usage in an emergency-driven medical environment and calls for much-needed debate in this area.
Introduction
The effectiveness of password usage in data security has been heavily criticized. A variety of assumptions regarding password usage have been made, depending on the focus of the literature. From a technical perspective, passwords are considered ineffective in restricting access only to individuals with authorized and legitimate access to data.[1] Engineers suspect that human factors play a significant role in determining the effectiveness of technical safeguards, so that human beings are deemed the weakest link in data security.[2] It remains unclear whether the use of passwords is effective in safeguarding electronic data.
Literature findings do not inspire confidence in the usage of passwords for data security. Several quotes taken from various points in time attest to this fact, for example: "Boot passwords, put your computer under lock and key"[3]; "Goodbye, passwords. You aren’t a good defense"[4], and more recently, "Forget passwords – use your face instead."[5]
There is extensive literature focusing on the effectiveness and suitability of password usage in preventing confidentiality breaches within environments such as computer security. The researchers have no knowledge of similar studies relating to the suitability of password usage within the medical environment. The aim of this article is to bring to the fore factors unique to the medical environment that argue against the direct "copy and paste" adoption of the minimum standards for effective password usage from computer security into the medical environment.
Background
The use of passwords is ineffective in restricting access only to individuals who are authorized to access data. This popular and easy means of controlling access to data may, in fact, provide the easiest way to breach confidentiality. Information technologists insist that with proper management, passwords are an effective means of protecting the security of data. Measures include, but are not limited to, the use of strong passwords, having individual rather than shared passwords, and changing passwords on a regular basis.[6]
Compliance with the minimum standards for effective password usage requires knowledge of and to some extent expertise in data security on the part of the healthcare provider.[7] However, the responsibility to comply cannot be placed solely on the healthcare provider. Standards for effective password usage should be well accepted and applied by all users of the technology. At times, factors unique to the medical field may influence the acceptance of security measures. For instance, in a medical emergency, there may be a legitimate need to circumvent the minimum standards of effective password usage in order to save a life.[2][8] It is for this reason that the contributions of both human and technical factors in normative research are noteworthy, but will never be adequate if the context in which technology is applied remains excluded.
This paper draws on the assumption that the situated use of technology creates challenges to the inscribed ethics of technology use, resulting in the emergence of new ethical dilemmas. Based on this assumption, we argue that the proper management of passwords as described in the environment of computer security is not suitable to the emergency-driven medical environment. In this paper, we reflect on the research outcome of the first author’s dissertation in putting this argument forward.[9]
References
- ↑ Dayarathna, R. (2009). "The principle of security safeguards: Unauthorized activities". Computer Law & Security Review 25 (2): 165–72. doi:10.1016/j.clsr.2009.02.012.
- ↑ 2.0 2.1 Ifinedo, P. (2012). "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory". Computers & Security 31 (1): 83–95. doi:10.1016/j.cose.2011.10.007.
- ↑ Steers, K. (2003). "Boot passwords, put your PC under lock and key". PC World 21 (9): 168.
- ↑ Stross, R. (9 August 2008). "Goodbye, Passwords. You Aren’t a Good Defense". The New York Times. https://www.nytimes.com/2008/08/10/technology/10digi.html. Retrieved 27 May 2017.
- ↑ Graham, J. (5 January 2015). "Forget passwords - use your face instead". USA Today. https://www.pressreader.com/usa/usa-today-us-edition/20150105/281801397332402.
- ↑ Payton, L. (2010). "Memory for Passwords: The Effects of Varying Number, Type, and Composition". PSI CHI Journal of Psychological Research 15 (4): 209–13. doi:10.24839/1089-4136.JN15.4.209.
- ↑ Williams, P.A.H. (2008). "In a ‘trusting’ environment, everyone is responsible for information security". Information Security Technical Report 13 (4): 207–15. doi:10.1016/j.istr.2008.10.009.
- ↑ Robinson, R. (2016). "Moral Distress: A Qualitative Study of Emergency Nurses". Dimensions of Critical Care Nursing 35 (4): 235–40. doi:10.1097/DCC.0000000000000185.
- ↑ Mahlaola, T.B. (20 January 2015), "Compliance of health professionals with patient confidentiality when using PACS and RIS", {{{website{{{}}}}}} (University of Johannesburg), https://ujcontent.uj.ac.za/vital/access/manager/Repository/uj:13153
Notes
This presentation is faithful to the original, with only a few minor changes to presentation. In some cases important information was missing from the references, and that information was added.
