A study of medical professionals’ attitudes toward information security reveals that nurses and doctors fumble over protocols, often putting patients at risk.

The study, “Workarounds to Computer Access in Healthcare Organizations (PDF),” offers a fascinating look behind the privacy curtains at hospitals. The study, sponsored by the University of Pennsylvania, Dartmouth College and the University of Southern California, connects the dots on poor security practices and how that can lead to bad patient care.

In one instance, outlined by the report, physicians ordered medications for the wrong patient because a computer was left on and the doctors didn’t realize it was open for a different patient.

The report also criticizes hospital IT infrastructure. “The clinicians we studied were not ‘black hat’ hackers, but just professionals seeking to accomplish their work despite the security technologies and regulations,” wrote the authors of the report. Based on the premise, healthcare clinicians are some of the worst offenders when it comes to computer access workarounds the authors of the study decided to shadow them to better understand fundamental enterprise security challenges and access control pain points. The research included interviews with hundreds of medical workers, CTOs, IT admins and 19 cybersecurity experts.

According to the researchers, “We find users write down passwords everywhere. Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms… One vendor even distributed stickers touting “to write your username and password and post on your computer monitor.”

With regards to signing-off of computer systems. The authors of the report note, when a user’s computer session extends beyond the active need of the user, “it leaves the computer vulnerable to misuse by an unauthorized persons or to an authorized user who assumes he or she is entering information for a patient different than the one still logged-in on the screen.”

http://www.cs.dartmouth.edu/~sws/pubs/ksbk15-draft.pdf