Curious, why would a doctor decline to use basic password auth?

I have had a doctor tell me that his time was too important to waste it typing passwords. I had another one tell me, quite dramatically, "someone could die" while he was typing in a password. It's a profession where many have an "interesting" perspective on information protection. I have tons of tragicomic security stories from dealing with health care providers.

And they are right. Passwords are probably the wrong thing. Give the doctors a hardware token, a smartcard (and fit smartcard readers to everything doctors might expect to use) or use biometrics.

Might some doctors leave the smartcard in the reader for a PC they often use, then walk away? Yes, yes they might, and that is a behaviour you can start fighting with peer pressure, but doctors are right to think passwords are a waste of their time.

>And they are right. Passwords are probably the wrong thing. Give the doctors a hardware token, a smartcard (and fit smartcard readers to everything doctors might expect to use) or use biometrics.

This is spot on and in most cases this is the way most hospitals are moving, particularly by using the already-assigned ID badges as RFID tokens. But as I mentioned in a couple of other comments farther down, I have experienced situations in which even this is something that doctors refuse (in one case, because they were upset that we were asking them to keep their ID badge with them, which they apparently had a problem with doing).

It's the most frictionless solution I've seen in widespread adoption and probably the least prone to pushback, but that doesn't mean there's no pushback, which is the unfortunate point of my original comment at the top of the thread.

> And they are right. Passwords are probably the wrong thing. Give the doctors a hardware token, a smartcard (and fit smartcard readers to everything doctors might expect to use) or use biometrics.

> Might some doctors leave the smartcard in the reader for a PC they often use, then walk away? Yes, yes they might, and that is a behaviour you can start fighting with peer pressure, but doctors are right to think passwords are a waste of their time.

At least the hospitals I've been to this is implemented as an rfid tag on their id badge, so it doubles as access control both for physical and software systems (as well as functioning as a charge card of sorts against the employee's company account for things like the cafeteria).

Yes password are annoyance, friction and waste of time. Not to mention 2FA that is worse. For the Dr, his upmost concern is to treat the patient not deal with extra layer of annoyance.

As an IT or security personel your job is to support them and assure security without creating extra friction or productivity loss. Yes it is hard but that is the challenge.

This is what a often neglected by security professional and just blaming the user.

Hey, thanks for the condescension. You know what else our job as "security personel" (sic) is? Other than literacy, it's matching controls to risk. The guy who talked about "people dying" was a urologist; I can assure you the no one was going to die in his office because of passwords. So, yes, we should reduce friction where it's appropriate, but unless you understand the actual risk model, maybe you should keep your comments to yourself.

> The guy who talked about "people dying" was a urologist; I can assure you the no one was going to die in his office because of passwords.

I know of exactly one case where you would have been completely wrong. Emergency surgery straight from the urologists office is what saved the patient. Some people simply go to the hospital much too late when they have issues.

"people dying" might be exaggerated but nonetheless because of the password he is inconvenienced.

So you have to come up with different method.

For the security personal, Dr is the customer, customer is king.

The doctor is not the customer. The doctor and security personnel are coworkers in a business where the customer is the patient who is being treated and who's sensitive data is being stored.

It is indeed the shared responsibility of the security team to keep in mind that the customer requires quality medical care, and security should not interfere with that. Similarly, it is also the shared responsibility of the doctor to keep in mind that the customer also requires that their data remain secure, and their ludditism should not interfere with that, either.

Said much better than I could.

So the doctor has to ensure security in addition of treating patient? Why do we need security professional then ?

Yes, everyone has to participate in ensuring security; how completely divorced from reality do you have to be to think otherwise. And we need security professionals to remind everyone that security is important and we all have to be part of ensuring it.

Sure but if it become annoying then most people, including me will choose convinience over security every time.

That's where I critize security professional. They often disregard this end user pain.

You have to find frictionless solution and shouldn't impact their productivity.

It is your responsibility to participate in the security of your customer's information. It is your fault if you "choose convenience over security". It is not anyone else's fault.

Ask yourself how you would feel if your bank just let someone access your account and steal your money. Would you forgive them if the bank said "well it would have been really annoying to have to check the person's identity before letting them take the money, so we chose convenience over security"? Of course not.

Security professionals are there to guide you and make security tools easier and less intrusive for you to use (and believe me, they want to make it easier for you, if only for the entirely self-serving reason of reducing the amounts of complaints they get), but even if the security tools are hard to use, it is your responsibility to still use them. You are not doing your job if you disregard them, and "it's annoying" is absolutely, 1000% not an excuse for potentially exposing the sensitive information of every one of your customers.

Trying to shift security to end user wouldn't improve security. Most people value convenience over security.

Then the bank is not doing a good job. Its the bank responsibility to secure my account. How they do it is up to them . I don't really care what method they use as long as from my perspective its frictionless and not annoying.

If you make security tools that is hard to use, then you are not doing a good job, be prepare for push back and consequently less secure environment.

As recently as maybe 20 years ago we learned a lot patient infection in hospital was caused by patient-to-doctor-to-patient transfer. Things like disposable gloves and hand cleaning stations at every bed were resisted by doctors initially as being over the top. Now they are ubiquitous once the benefits were proven. Maybe the same approach for IT as for germ security can be demonstrated, and that everyone needs to participate.

Or maybe make it easier, less annoying to use.

If people are supposed to look after their own health, why do they need doctors?

> Curious, why would a doctor decline to use basic password auth?

I'm not a (medical) doctor and I decline to use password authentication as well. Give me public key access or fuck off.

What happens if they forget their password?