Biblio
Healthcare professionals have unique motivations, goals, perceptions, training, tensions, and behaviors, which guide workflow and often lead to unprecedented workarounds that weaken the efficacy of security policies and mechanisms. Identifying and understanding these factors that contribute to circumvention, as well as the acts of circumvention themselves, is key to designing, implementing, and maintaining security subsystems that achieve security goals in healthcare settings. To this end, we present our research on workarounds to computer security in healthcare settings without compromising the fundamental health goals. We argue and demonstrate that understanding workarounds to computer security, especially in medical settings, requires not only analyses of computer rules and processes, but also interviews and observations with users and security personnel. In addition, we discuss the value of shadowing clinicians and conducting focus groups with them to understand their motivations and tradeoffs for circumvention. Ethnographic investigation of workflow is paramount to achieving security objectives.
Presented at Safety, Security, Privacy and Interoperability of Health Information Technologies (HealthTec 2014), August 19, 2014 in San Diego, CA. See video at URL below.
Conventional wisdom is that the textbook view describes reality, and only bad people (not good people trying to get their jobs done) break the rules. And yet it doesn't, and good people circumvent.
Published in IEEE Security & Privacy, volume 11, issue 5, September - October 2013.