Is sharing computer logins at work bad?

[Mark R]

I work at a major hospital, where they have recently installed a very expensive digital X-ray system (PACS). Rather than printing images, they are stored on a server and accessible from anywhere in the hospital and docs can then annotate the images as required, before they images get passed to an expert reviewer (radiologist) for final diagnosis.

All well and good, and not having to deal with lost X-rays, finding the correct X-ray in a pile of hundreds, etc. is a big bonus.

Unfortunately, this system has had it's fair few 'teething troubles'. Rather uniquely, this system uses smartcard login. Each authorized person has a smart card, which was issued under strict security procedures (e.g. have to provide passport, drivers licence, SSN, considerable security information, and in some cases undergo a background check).

Unfortunately, the smartcard login system has proved a bit of a problem. It's slow, taking up to a minute to authenticate, and restart the software. But more importantly, it's unstable with a tendency to freeze up and deny logins until the workstation is restarted. Crashing once or twice per day, would possibly be acceptable. But in busy areas, such as the ER, the workstations were crashing 5 or 10 times a day, such that so much time was wasted by docs rebooting the comps that it was hardly better than the old system.

The stunning plan to get around this, authorized by managers and the IT department, is as follows:
In the ER and other similarly busy areas, staff should pool their cards into a communal pool. The PIN should be noted on the card and should access be needed, a card be chosen, used to login to the system, and the card left logged in until the end of the day.

So what about all the annotations that get filed under the cardholder's name (rather than the actual users)? It wasn't an issue before, until people started getting 'phone calls informing them of mistakes, which were nothing to do with them.

Time to rethink the 'solution'? Yup. The new 'improved' solution - manually write your name on the end of comments you make, so it's clear who left the comment, rather than who was logged in at the time.

Genius!

Cliffs:
Install multi-million $ computer system for handling confidential medical data
All users vetted at great expense and issued with high security smart cards
System sucks ass
Everyone shares a volunteer's smartcard and PIN
All comments and notes entries must be manually annotated with the actual doc's name, so as to absolve the cardholder of any wrongdoing.

 

[SSSnail]

HIPAA.

/thread.

 

[GeekDrew]

Wow, that sounds like something my tiny office would try.

Perhaps it is an emergency work-around, and a "real solution" is around the corner?

 

[SpunkyJones]

Originally posted by: SSSnail
HIPAA.

/thread.

 

[Brazen]

Originally posted by: GeekDrew
Wow, that sounds like something my tiny office would try.

Perhaps it is an emergency work-around, and a "real solution" is around the corner?

Yeah I can see how in a hospital, an emergency workaround would be acceptable. And realistically, is it any less secure than having stacks of xrays and charts laying around? We would be complaining to whoever developed the authentication system until they got it fixed. Bug the developers tech support line every time it crashes if you have to. The phone tech may not be able to do anything, but then all those complaints of crashes will be logged into their tracking system.

 

[bruceb]

That is not the best solution, unless the IT dept assigns a generic department
based id smart card. That way, no one user would be held accountable if something
goes wrong. If a user needs to notate something, then they should enter an ID code
when they make the notation in the system.

An easier alternative, in my opinion, might be a simple fingerprint reader. They should
operate fairly quickly, will not require the users to have a smart card on them and are
next to impossible to bypass.

 

[jonmcc33]

Ah, PACS, I remember it well when I was in the USAF. Yes, it is quite expensive.

It depends upon the policies set for that facility in regards to sharing logins. I don't know if JCAHO or HIPAA has anything about that in regards to that, possible patient information violation.

 

[spyordie007]

If yours is anything like the hospitals/healthcare providers I've worked with there will be a big fire under this issue. 'solutions' like this are usually not (and shouldn't be) tolerated by management. If there isnt a fire under this do the right thing, be a whistle blower.

I find that 'solutions' like this are often shadow IT department driven, and not sanctioned by the actual policy authority.

And realistically, is it any less secure than having stacks of xrays and charts laying around?

I disagree, this is not having a couple copies of a patient's xrays in several physically secured locations (nursing stations, file cabinets, doctor's desks); this is all the records for all the patients that the logged in user has access to (typically all of the patients currently in the unit plus some historical data on every medical device that they are doing this on.

 

[subflava]

Wow...whoever installed the system should be roasted. Haven't really heard anyone comment about that yet. People are suggesting workarounds and what-not, but the real issue here is that the system DOES NOT WORK as designed!! What company is responsible for this system?

As others have mentioned...of course the workaround is bad. It defeats the whole purpose of the system in the first place of being able to automatically track who did what, making your lives easier, securing the date, etc. Given the situation though, I don't know what else you guys could do.

 

[bruceb]

I still suggest a fingerprint reader to control access. It is a proven method, not very
costly and it will do the job properly.

 

[jonmcc33]

Originally posted by: bruceb
I still suggest a fingerprint reader to control access. It is a proven method, not very
costly and it will do the job properly.

Till someone cuts off a finger to gain access.

 

[Mark R]

Unfortunately, changing the system isn't an option.

The system (main application software, login system, and the associated X-ray database software) are all supplied by different vendors - but more importantly, the choices are made on a regional basis, not on a hospital basis. All hospitals in the region must install the exact specified system by a certain date, or they will have to pay huge financial penalties.

Additionally, because the installation is regionally managed (not locally), so local 'administrators' are powerless. E.g. if an X-ray is accidentally take with the wrong name on, the name cannot be changed by local administrators. Instead, a support ticket has to be raised with regional management, who will then raise a support ticket with the vendor.

Even things like login permissions can't be managed locally - e.g. there's a problem where docs (including radiologists) don't have access to preset 'brightness/contrast' settings for viewing images (e.g. a 'bone' preset for assessing bones, or a 'lung' preset for assessing lungs) - presets are an administrator only function. Local admins can't change this. While a support ticket was raised, the reply was that medical staff's user roles were fixed and permissions cannot be modified on an ad hoc basis; overall policies prevent a change to global permissions for a role.

Believe me, there is lots more wrong with the system. For a start, the user interface is the worst I have ever seen - unbelievably confusing and clumsy, and it's not even consistent within the same program.

I would dearly love to name the vendor and the software - but the vendor pursue legal action extremely aggressively, and several medical bloggers who pointed out that the user interface is a disaster were forced to pull their blogs.

 

[taltamir]

What should you as an employ do? well... you shouldn't want things logged under YOUR name.. there is liability involved... you should demand that the IT department issue generic cards for each work station.. perhaps under the credentials of the IT people and not any doctors... The doctors should absolutely NOT be polling their smart cards!

Step zero... use GENERIC cards that were issued by the IT department with no docs credential as a workaround while doing steps one and two...
Step one... change to a DIFFERENT provider for such a system
Step two... sue current provider for providing you with a non working system.

Your system doesn't work, and it is a critical system in a HOSPITAL... there is no reason to do workarounds... you need a different system that does work... Switch and Sue.

 

[bruceb]

I have to agree ... tell your current vendor they have 2 weeks to fix it to work properly
and give the doctors the permissions to change simple things like Brightness / Contrast
that they, the vendor should have no say in the matter of. A system that is locked down too
tight, like yours, is asking for trouble at a later date. And calling one company to have them
call someone else to fix a problem is inane at best. You can be sure of two things:
1): They will mess up the original description of the problem and what you expect.
2): It will take a long time to resolve, if they resolve it and in a hospital, time is important.

Change vendors ... And get a good Lawyer to sue those Idiots that put the current non-workable
system in place.

I know you are reluctant to name your hospital.
How about the city / state ? ?

It would interesting to know if this garbage system was instiuted at the request
of some state agency, that has no idea of what to get or how to get it or if it came
down from the US Gov't health department. One thing you can almost bet the house
on, is someone is getting or has gotten a good kickback for using this company.
And the Secuirty Access should only control access to the Workstation .. and by
now, any good IT company should know how to do that with no issues at all.
Unless they are using low end computers, not using XP Pro or Server 2000 or
the latest MS server software

 

[taltamir]

I wonder when the shit it gonna hit the fan... and where the buck will stop...

Will we be seeing this on the news pretty soon? it takes just one patient to die and his family suing for malpractice (his tumor/whatever wasn't diagnosed in time because they wasted time on buggy software?)

 

[Mark R]

Unfortunately, it's a government order that the systems are installed, and only the government agency can oversee it. While theoretically it is possible for a hospital to find their own vendors, the system would have to integrate with planned regional and national networks. Unfortunately, it is only the regionally selected software that has been modified to support this connectivity, and modifying software from another vendor would be too much for a single hospital to take on.

While this system hasn't been rolled out in all the hospitals in my city, the remainder are getting the exact same system in the next few months. As you might imagine, there are a lot of pissed off docs.

In particular, for docs who look at complex CT and MR scans in their offices, there are huge practical problems. The PACS system being installed has very bad image processing capability, and no support for radio-isotope imaging or PET scans. Unfortunately, the contract is so restrictive that it will not be possible to install the sophisticated image processing software that the hospitals have bought a site license for at enormous expense (actually a thin client - all image processing is done server-side) or the isotope imaging software (excellent in-house software). For docs that want to use that type of software, the only option is to install a second workstation in their office - which means 4 or 6 21" monitors on a desk, a real problem in terms of both cost and space.

 

[spyordie007]

Originally posted by: Mark R
Unfortunately, it's a government order that the systems are installed, and only the government agency can oversee it.

The project is screwed :roll:

 

[bruceb]

All the hospital admins and doctors need to write a letter / petition to the government agency that
insisted on this particular software / vendor without checking to see if it would work properly. It is
quite obvious that a complete overhaul is needed. And there is absolutely no need for a patient's
xrays to be able to be viewed elsewhere online. And they should never be stored on a server where
who knows who can get access to them. They are confidential, as are all medical records.?

 

[Mark R]

Originally posted by: bruceb
All the hospital admins and doctors need to write a letter / petition to the government agency that
insisted on this particular software / vendor without checking to see if it would work properly. It is
quite obvious that a complete overhaul is needed. And there is absolutely no need for a patient's
xrays to be able to be viewed elsewhere online. And they should never be stored on a server where
who knows who can get access to them. They are confidential, as are all medical records.?

I'm sure you're right, but I really don't know what's going to happen. It may be that the agency / vendors are working on the problem, but can't roll out a solution (although it has been nearly 6 months) until it has been authorized from the appropriate committee.

I would disagree that X-rays should be restricted a single site. In fact, this is one of the most important goals of this project. The ability for a doc to view previous X-rays immediately is a major bonus, even more so if they were taken elsewhere. Previously, this would mean a delay for the X-rays to be couriered from hospital A to B. While the system doesn't provide this yet, this is the next goal. Once individual hospitals have their PACS systems up and running, they will all be linked to a central datacenter which will archive all data from all hospitals - providing disaster recovery backup and instant communication of data to other hospitals.

This is the reason for the problematic smartcard login system, and why this aspect of the system is simply not up for negotiation (even though it's broken). Because every person who gets a card has to verify their ID and undergo a govt background check it is supposed to be secure. It is also supposed to be convenient as a doc's card is usable at any hospital he is authorized to work at - puts the card in and he immediately has access to all X-rays for patients that he is authorized to treat.

The problem is not so much with the system itself, but it is in the flawed 'solutions' to inherent deficiencies. The system and design, on paper, is fantastic - brilliantly secure and powerful - the problem is that the managers haven't verified that the vendors can supply software and components that actually do what they are supposed to do.

 

[bruceb]

Yes, some xrays for like broken bones, where say, an Orthopedist can't set it properly and
sends you to an Orthopedic Surgeon are ok to share (happened to me when my wrist was
broken and a cast just would not do ... needed pins and external fixator to be set correctly)
But for other xrays, medical conditions can change hour to hour or day to day & say, a tumor,
might grow or shrink in size, before you can get to the next hospital or specialist. So, it really
isn't a must have. Most doctors would prefer & probably would, take another xray, before doing
any surgery. Just to be on the safe side.

 

[Mark R]

Originally posted by: bruceb
But for other xrays, medical conditions can change hour to hour or day to day & say, a tumor,
might grow or shrink in size, before you can get to the next hospital or specialist. So, it really
isn't a must have.

Most doctors would prefer & probably would, take another xray, before doing any surgery. Just to be on the safe side.

On the contrary, for following up tumours, etc. it is absolutely essential to have the previous X-rays. You can't make a meaningful interpretation without them. Tumours change very slowly and can cause all sorts of associated changes - without reference to previous, it's impossible to tell what is new and what isn't.

The problem is that if you can't interpret an X-ray because you don't have any previous, you're going to have to do some other form of test, or repeat a test done elsewhere. This is unnecessary cost and unnecessary risk, and may not be legally sound under radiation protection laws.

I can assure you that in any complex case, the 2nd most important thing after the X-ray you are currently looking, is that one taken before.

I should point out that I am a radiologist (doc who specializes in X-ray diagnosis), so I can speak with some authority on this subject.