Difference between revisions of "Journal:Password compliance for PACS work stations: Implications for emergency-driven medical environments"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 24: Line 24:
'''Objectives''': To reflect on the outcome of a dissertation which argues that the minimum standards of effective password use prescribed by the [[information]] security sector are not suitable to the emergency-driven medical environment, and that their application as required by law raises new and unforeseen ethical dilemmas.
'''Objectives''': To reflect on the outcome of a dissertation which argues that the minimum standards of effective password use prescribed by the [[information]] security sector are not suitable to the emergency-driven medical environment, and that their application as required by law raises new and unforeseen ethical dilemmas.


'''Method''': A close-ended questionnaire, the [[Picture archiving and communication system|Picture Archiving and Communication System]] Confidentiality Scale (PAC-CS) was used to collect quantitative data from 115 health professionals employed in both a private radiology and a [[hospital]] setting. The PACS-CS sought to explore the extent of compliance with accepted minimum standards of effective password usage.
'''Method''': A close-ended questionnaire, the Picture Archiving and Communication System Confidentiality Scale (PAC-CS) was used to collect quantitative data from 115 health professionals employed in both a private radiology and a [[hospital]] setting. The PACS-CS sought to explore the extent of compliance with accepted minimum standards of effective password usage.


'''Results''': The percentage compliance with minimum standards was calculated. A significant statistical difference (''p''<0.05) between the expected and observed data-security practices was recorded.
'''Results''': The percentage compliance with minimum standards was calculated. A significant statistical difference (''p''<0.05) between the expected and observed data-security practices was recorded.
Line 43: Line 43:


This paper draws on the assumption that the situated use of technology creates challenges to the inscribed ethics of technology use, resulting in the emergence of new ethical dilemmas. Based on this assumption, we argue that the proper management of passwords as described in the environment of computer security is not suitable to the emergency-driven medical environment. In this paper, we reflect on the research outcome of the first author’s dissertation in putting this argument forward.<ref name="MahlaolaCompliance15">{{cite |url=https://ujcontent.uj.ac.za/vital/access/manager/Repository/uj:13153 |title=Compliance of health professionals with patient confidentiality when using PACS and RIS |author=Mahlaola, T.B. |publisher=University of Johannesburg |date=20 January 2015}}</ref>
This paper draws on the assumption that the situated use of technology creates challenges to the inscribed ethics of technology use, resulting in the emergence of new ethical dilemmas. Based on this assumption, we argue that the proper management of passwords as described in the environment of computer security is not suitable to the emergency-driven medical environment. In this paper, we reflect on the research outcome of the first author’s dissertation in putting this argument forward.<ref name="MahlaolaCompliance15">{{cite |url=https://ujcontent.uj.ac.za/vital/access/manager/Repository/uj:13153 |title=Compliance of health professionals with patient confidentiality when using PACS and RIS |author=Mahlaola, T.B. |publisher=University of Johannesburg |date=20 January 2015}}</ref>
==Methods==
A [[Picture archiving and communication system|picture archiving and communication system]] (PACS) is a digital storage system designed to address the limitations of film and paper records. A conventional storage system imposes disadvantages that become an impediment to the continuity of patient care, because the records could be easily misplaced and therefore difficult to retrieve, resulting in delayed medical treatment.<ref name="BeachMaint14">{{cite journal |title=Maintaining best practice in record-keeping and documentation |journal=Nursing Standard |author=Beach, J.; Oates, J. |volume=28 |issue=36 |pages=45–50 |year=2014 |doi=10.7748/ns2014.05.28.36.45.e8835}}</ref> PACS is inherently a radiology archiving system that may be extended to various other sections within a hospital. It allows for remote and instant access to radiology data by a multidisciplinary complement of health professionals (HPs) who are based in different locations within a hospital setting, so that the data of the same patient may be accessed simultaneously by different HPs.<ref name="BolanTech13">{{cite journal |title=Technology Trends: A view of the future image exchange |journal=Applied Radiology |author=Bolan, C. |volume=42 |issue=11 |pages=32–7 |year=2013 |url=https://appliedradiology.com/articles/technology-trends-a-view-of-the-future-image-exchange}}</ref> PACS has contributed to improved patient care by increasing efficiency and the accessibility of data, and has led to fewer delays in the clinical management of patients.<ref name="BolanTech13" /> The electronic nature of PACS makes it possible for patients’ data to be accessed, duplicated, and exported without the patient’s knowledge and consent.<ref name="BenetarIndis10">{{cite journal |title=Indiscretion and other threats to confidentiality |journal=South African Journal of Bioethics & Law |author=Benatar, D. |volume=3 |issue=2 |pages=59–62 |year=2010 |url=http://www.sajbl.org.za/index.php/sajbl/article/view/101}}</ref> The use of passwords aids in restricting access to PACS data, to minimize the risk of breaching patient confidentiality.


==References==
==References==

Revision as of 20:46, 30 July 2018

Full article title Password compliance for PACS work stations: Implications for emergency-driven medical environments
Journal South African Journal of Bioethics and Law
Author(s) Mahlaola, T.B.; van Dyk, B.
Author affiliation(s) University of Johannesburg
Year published 2017
Volume and issue 10(2)
Page(s) 62–6
DOI 10.7196/SAJBL.2017.v10i2.00600
ISSN 1999-7639
Distribution license Creative Commons Attribution-NonCommercial 4.0 International
Website https://www.ajol.info/index.php/sajbl/article/view/165242
Download https://www.ajol.info/index.php/sajbl/article/download/165242/154702 (PDF)

Abstract

Background: The effectiveness of password usage in data security remains an area of high scrutiny. Literature findings do not inspire confidence in the use of passwords. Human factors such as the acceptance of and compliance with minimum standards of data security are considered significant determinants of effective data-security practices. However, human and technical factors alone do not provide solutions if they exclude the context in which the technology is applied.

Objectives: To reflect on the outcome of a dissertation which argues that the minimum standards of effective password use prescribed by the information security sector are not suitable to the emergency-driven medical environment, and that their application as required by law raises new and unforeseen ethical dilemmas.

Method: A close-ended questionnaire, the Picture Archiving and Communication System Confidentiality Scale (PAC-CS) was used to collect quantitative data from 115 health professionals employed in both a private radiology and a hospital setting. The PACS-CS sought to explore the extent of compliance with accepted minimum standards of effective password usage.

Results: The percentage compliance with minimum standards was calculated. A significant statistical difference (p<0.05) between the expected and observed data-security practices was recorded.

Conclusion: The study interrogates the suitability of adherence to minimum standards of effective password usage in an emergency-driven medical environment and calls for much-needed debate in this area.

Introduction

The effectiveness of password usage in data security has been heavily criticized. A variety of assumptions regarding password usage have been made, depending on the focus of the literature. From a technical perspective, passwords are considered ineffective in restricting access only to individuals with authorized and legitimate access to data.[1] Engineers suspect that human factors play a significant role in determining the effectiveness of technical safeguards, so that human beings are deemed the weakest link in data security.[2] It remains unclear whether the use of passwords is effective in safeguarding electronic data.

Literature findings do not inspire confidence in the usage of passwords for data security. Several quotes taken from various points in time attest to this fact, for example: "Boot passwords, put your computer under lock and key"[3]; "Goodbye, passwords. You aren’t a good defense"[4], and more recently, "Forget passwords – use your face instead."[5]

There is extensive literature focusing on the effectiveness and suitability of password usage in preventing confidentiality breaches within environments such as computer security. The researchers have no knowledge of similar studies relating to the suitability of password usage within the medical environment. The aim of this article is to bring to the fore factors unique to the medical environment that argue against the direct "copy and paste" adoption of the minimum standards for effective password usage from computer security into the medical environment.

Background

The use of passwords is ineffective in restricting access only to individuals who are authorized to access data. This popular and easy means of controlling access to data may, in fact, provide the easiest way to breach confidentiality. Information technologists insist that with proper management, passwords are an effective means of protecting the security of data. Measures include, but are not limited to, the use of strong passwords, having individual rather than shared passwords, and changing passwords on a regular basis.[6]

Compliance with the minimum standards for effective password usage requires knowledge of and to some extent expertise in data security on the part of the healthcare provider.[7] However, the responsibility to comply cannot be placed solely on the healthcare provider. Standards for effective password usage should be well accepted and applied by all users of the technology. At times, factors unique to the medical field may influence the acceptance of security measures. For instance, in a medical emergency, there may be a legitimate need to circumvent the minimum standards of effective password usage in order to save a life.[2][8] It is for this reason that the contributions of both human and technical factors in normative research are noteworthy, but will never be adequate if the context in which technology is applied remains excluded.

This paper draws on the assumption that the situated use of technology creates challenges to the inscribed ethics of technology use, resulting in the emergence of new ethical dilemmas. Based on this assumption, we argue that the proper management of passwords as described in the environment of computer security is not suitable to the emergency-driven medical environment. In this paper, we reflect on the research outcome of the first author’s dissertation in putting this argument forward.[9]

Methods

A picture archiving and communication system (PACS) is a digital storage system designed to address the limitations of film and paper records. A conventional storage system imposes disadvantages that become an impediment to the continuity of patient care, because the records could be easily misplaced and therefore difficult to retrieve, resulting in delayed medical treatment.[10] PACS is inherently a radiology archiving system that may be extended to various other sections within a hospital. It allows for remote and instant access to radiology data by a multidisciplinary complement of health professionals (HPs) who are based in different locations within a hospital setting, so that the data of the same patient may be accessed simultaneously by different HPs.[11] PACS has contributed to improved patient care by increasing efficiency and the accessibility of data, and has led to fewer delays in the clinical management of patients.[11] The electronic nature of PACS makes it possible for patients’ data to be accessed, duplicated, and exported without the patient’s knowledge and consent.[12] The use of passwords aids in restricting access to PACS data, to minimize the risk of breaching patient confidentiality.


References

  1. Dayarathna, R. (2009). "The principle of security safeguards: Unauthorized activities". Computer Law & Security Review 25 (2): 165–72. doi:10.1016/j.clsr.2009.02.012. 
  2. 2.0 2.1 Ifinedo, P. (2012). "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory". Computers & Security 31 (1): 83–95. doi:10.1016/j.cose.2011.10.007. 
  3. Steers, K. (2003). "Boot passwords, put your PC under lock and key". PC World 21 (9): 168. 
  4. Stross, R. (9 August 2008). "Goodbye, Passwords. You Aren’t a Good Defense". The New York Times. https://www.nytimes.com/2008/08/10/technology/10digi.html. Retrieved 27 May 2017. 
  5. Graham, J. (5 January 2015). "Forget passwords - use your face instead". USA Today. https://www.pressreader.com/usa/usa-today-us-edition/20150105/281801397332402. 
  6. Payton, L. (2010). "Memory for Passwords: The Effects of Varying Number, Type, and Composition". PSI CHI Journal of Psychological Research 15 (4): 209–13. doi:10.24839/1089-4136.JN15.4.209. 
  7. Williams, P.A.H. (2008). "In a ‘trusting’ environment, everyone is responsible for information security". Information Security Technical Report 13 (4): 207–15. doi:10.1016/j.istr.2008.10.009. 
  8. Robinson, R. (2016). "Moral Distress: A Qualitative Study of Emergency Nurses". Dimensions of Critical Care Nursing 35 (4): 235–40. doi:10.1097/DCC.0000000000000185. 
  9. Mahlaola, T.B. (20 January 2015), "Compliance of health professionals with patient confidentiality when using PACS and RIS", {{{website{{{}}}}}} (University of Johannesburg), https://ujcontent.uj.ac.za/vital/access/manager/Repository/uj:13153 
  10. Beach, J.; Oates, J. (2014). "Maintaining best practice in record-keeping and documentation". Nursing Standard 28 (36): 45–50. doi:10.7748/ns2014.05.28.36.45.e8835. 
  11. 11.0 11.1 Bolan, C. (2013). "Technology Trends: A view of the future image exchange". Applied Radiology 42 (11): 32–7. https://appliedradiology.com/articles/technology-trends-a-view-of-the-future-image-exchange. 
  12. Benatar, D. (2010). "Indiscretion and other threats to confidentiality". South African Journal of Bioethics & Law 3 (2): 59–62. http://www.sajbl.org.za/index.php/sajbl/article/view/101. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation. In some cases important information was missing from the references, and that information was added.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:Password_compliance_for_PACS_work_stations:_Implications_for_emergency-driven_medical_environments&oldid=33627"