Healthcare security: Write login details on a whiteboard, hope for the best
Bork!Bork!Bork! Today's bork is entirely human-generated and will send a shiver down the spine of security pros. No matter how secure a system is, a user's ability to undo an administrator's best efforts should not be underestimated.
This example is a whiteboard seen by an eagle-eyed Register reader in their local medical center. Our reader asked to remain anonymous for obvious reasons, but we can only wish that the same anonymity had been extended to the systems running behind the scenes.
Whiteboard showing confidential information (obscured)
We've excised the text, but suffice it to say that the whiteboard contains usernames and passwords for system access. It's a change from a Post-it note stuck to the screen, but it's no less likely to make a security professional shriek in horror. After all, not only is the account exposed, but anyone can use it, which renders an access log somewhat redundant.
The whiteboard has been on display at the UK medical center for a while now. Our reader told us: "A few months ago, I explained to a lady on the front desk that displaying this information was a bad idea. Clearly, they don't believe me."
The National Health Service has guidelines regarding passwords. The rules include (https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/data-security-and-protection-toolkit-assessment-guides/guide-9---it-protection/password-strength-remote-locations-and-managed-estates) "not using a single word... think random... think multiple (3 random passwords technique)" and "not using or containing a common password."
To be fair to the medical center concerned, those rules do not include "for goodness sake, don't put the username and password on a whiteboard for everyone to see."
Thankfully, passwords are on their way out. According to the UK's National Cyber Security Centre (NCSC), passkeys "solve the main security problems we have with passwords."
The NCSC states they "are generated securely and so can't be guessed... can't be phished," and "are unique for each website you use, so if one website is compromised it doesn't put your other logins at risk."
They are also unlikely to be found written on a whiteboard.
Passkeys are not a perfect solution to password problems. However, almost anything would be an improvement on this public display of private credentials. ®
