Magazine article Behavioral Healthcare Executive

You Can Drown in Too Much Security: IT Security Is Important, but It Shouldn't Prevent Staff from Effectively Doing Their Jobs

Magazine article Behavioral Healthcare Executive

You Can Drown in Too Much Security: IT Security Is Important, but It Shouldn't Prevent Staff from Effectively Doing Their Jobs

Article excerpt

Two longtime college rivals found a genie's bottle and both were granted a wish. One said that he was tired of people who didn't share his devotion for his alma mater passing through town. He wished for a large, solid wall around the town to keep people out, and the genie built the wall. After thinking for a moment, the rival made his wish: "Fill it up with water." The moral of the story: You can drown in too much security.

Behavioral healthcare provider organizations are required to have a number of IT security policies, procedures, and practices. For example, Joint Commission standard IM.2.1 requires that "the organization determines the need for and appropriate levels of security and confidentiality of data and information." HIPAA guideline 164.306(b)(1) states that covered entities may use "any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified." Yet rigidly focusing on security standards without respect to the "reasonableness" of their implementation can result in an organization effectively "securing itself from itself." Have you ever hidden a present for someone and then forgot where you stashed it? The same principle applies to IT.

For example, one of the HIPAA technology safeguards requirements, 164.312(a)(2) (iii), requires an "auto-logoff" feature so unattended workstations will automatically exit a program after a specified idle time. It seems like a simple rule. However, determining a "reasonable" time interval before triggering auto-log-off may depend on who makes the decision.

We have had differences of opinion within my organization. Technical staff, typically more focused on security, initially believed ten minutes was an appropriate interval. It didn't take long until clinical staff said that they seemed to spend as much time logging in and out of the system as they spent documenting patient care. As a result, the idle interval swung to the other extreme, allowing clinicians to remain in the system from morning log-in until the day was done. Thus, the HIPAA-compliant auto-log-off feature existed, but it was seldom triggered. Eventually everyone agreed on a reasonable and appropriate idle interval (four hours), allowing clinicians to do their work while maintaining security levels that reasonably keep unauthorized users from accessing an unattended computer.

Password policies are another necessary requirement (HIPAA Standard 164.312[d]) that can foster inefficient and detrimental operational and security processes. A common security policy requires "strong" passwords that use upper- and lower-case letters, numbers, and punctuation. Strong passwords must contain at least eight characters, and users must routinely change them. A random hacker will find it difficult to access a system implemented with strong passwords.


However, strong passwords can create practices that decrease security effectiveness. Legitimate users tend to have trouble remembering strong passwords, so they often write them down, commonly placing them underneath a keyboard, inside a center desk drawer, or even on a sticky note attached to the computer itself. The security policy is being met by using strong passwords, but the actual security objective is compromised.

What is the reasonable and appropriate action? …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.