PIN codes are ubiquitous. We use them to withdraw money from ATM cash point machines and make payments with our bank cards. Our electronic devices, smart-phones and apps are protected by PIN codes.
We can also use a PIN code to access our systems at work. An NHS smart-card is similar to a ‘chip-and-PIN’ bank card; you place your card in a reader and enter your passcode. This can be configured to log you onto your computer and integrated to open your clinical applications.
The alternative is to login with a username and password. We typically use these to login to a website to do online shopping, access our online accounts etc. At work many of us have an individual login for our computers and to access each of our clinical systems.
Logging in can be slow and painful however, especially when we have to do it repeatedly. It is one of the causes cited for the increasing ‘clinical burden’ with using IT systems. Password policies also make it hard as we are advised to use ‘complex’ passwords, to change them regularly, and use different passwords in each system.
Have you ever wondered why is that is? Why sometimes we are able to use a simple a PIN code and at other times we need to enter a complex password?
This blog explains why. It also looks at how we can use this knowledge to our advantage.
Some NHS organisations have been innovative in this area – I will discuss some novel approaches that can be used. For example we have implemented a PIN code to unlock our EPR system. A number of organisations have experimented with other simpler ways to authenticate the user.
I thought I would share our reasoning here – how use of a PIN and other measures can enhance both security and usability, in line with the NHS guidance. Also why a conventional login and NHS smart-card may not be sufficient on their own.
It’s all down to how we use our EPRs. I’ll explain why. First let’s quickly review the NHS guidance on this.
NHS password policy
The NHS password policy ‘best practice’ guidance recommends passwords should be created in the following format:
- A minimum of 8 characters long
- Not contain a dictionary word of more than 4 characters
- Contain at least two uppercase letters
- Contain at least two lower case letters
- Contain at least 2 numbers
- Contain at least two special characters or non-alphanumeric characters, such as:• ! ” £ $ % & * @
The guidance also recommends:
“A risk balance will need to be made when deciding on the design and construction of passwords across an organisation. Care should be taken to ensure that complex password requirements do not place an unrealistic demand on users, management and system administrators, while still providing the necessary system access controls.”
Password guidance for NHS organisations
Why do passwords need to be complex?
The simple reason is to make it harder for someone to work out your password. It helps protect the user. Contrary to common belief though, it does little to protect the patient.
We know from experience that our systems are at risk of attack. The WannaCry ransomware attack in May 2017 was a wake-up call for us all. We are investing increasing sums in cybersecurity and can block many attempts, but the unfortunate truth is it is not possible to make our systems totally secure.
For example, one of the more common ways to obtain access a system is through a phishing (pronounced fishing) attack. This is a password attack, but it has no bearing on how complex your password is. You could have an extremely complex password and are just as vulnerable to a phishing attack.
Phishing is getting a user to reveal their password to you, by doing it surreptitiously. An example is receiving an email that looks legitimate and contains a link. This may take you to a website that looks genuine, but its only purpose is to prompt you to enter your login details so it can harvest them. It is easy to be fooled into this, as many of us know from personal experience.
In phishing terms, a user is considered a small fish. If the hacker has your password and wants to obtain patient data they can simply login to the system and look up any of the patients you can access, in the same way you do.
Hackers are usually more greedy then that though. They will try to download multiple patient records, and all the staff records as well.
An administrator is a big fish as an admin password allows the hacker to do more. Armed with that, a hacker can do a ‘whaling’ attack as they can bypass some of the system security. A whale is considered a big fish (yes I know it’s really a mammal!). If the hacker can manage to get access to the database, they can potentially download all the patient and staff records.
According to cybersecurity experts, over 40% of malicious hacks are made this way. The hacker has first obtained a password to login to the system.
So why do we need a complex password, if it does little to protect against the threat of access to patient data?
The main reason is it protects the user. When we register with a password it is encrypted and stored in a database. If someone malicious managed to get hold of that encrypted password from the database they could potentially decrypt it. If you are using the same password for multiple systems, this can expose you and those systems to further risk.
If passwords are encrypted properly it should be near impossible to decrypt them. The password policies are written to mitigate the risk that they are not being encrypted and secured as they should be. If there are flaws it may be possible to decrypt some passwords by using a ‘brute force’ attack – trying millions of combinations.
This is where complex passwords come in. Hackers are less likely to be able to decrypt your password and use it against you. However, as discussed, complex passwords provide very little extra protection for the patient.
Why would we want to use a PIN code?
We know the concept – a PIN is a short password to access to a system. Often just 4 numbers.
A personal identification number (PIN), or sometimes redundantly a PIN number, is a numeric or alpha-numeric password used in the process of authenticating a user accessing a system.
The main advantage of using a PIN is the fact that it is short – it is easy to remember and quick to enter. The trade-off is a simple PIN is less secure than a complex password.
How secure are PINs?
We use PINs for personal banking so we know they offer some protection. Our money is fairly important to us after all!
For a 4 digit number 0000 to 9999 there is a 1 in 10,000 chance of selecting it randomly. Most systems will only give you 3 attempts – so 3 in 10,000 giving an imposter a 0.03% chance of guessing the PIN before they are blocked and locked out.
Unfortunately we are more predictable than that. According to research, with only 3 attempts it is possible to guess 19% of PINs, 1234, 1111 and 0000 being the most common. Surprisingly, adding more digits can make it less secure because people tend to write it down or use a predictable sequence (eg 123456, a date of birth or telephone number) to make it easier to remember.
A PIN can also contain letters, which increases the possible number of combinations. A PIN with letters is sometimes called a passcode. The NHS smart-card PIN/passcode can be between 4 and 8 alpha-numeric characters. These are more secure than a simple 4 digit number, but they still fall short of the NHS guidelines for security of passwords.
Security is not just about the length and complexity of a password though, it is also about where it is stored and how it is implemented. We will consider those next.
If PIN codes are less ‘secure’ – why would we want to use them in healthcare?
Well, as stated in the NHS guidance, it is a balance of usability and risk. We know PIN codes are easier to use – and we can assess the relative risks by doing a risk assessment.
An important consideration is whether we consider a PIN to be more or less secure than the existing measures. This is not as straightforward as you might think as there are other factors in play.
We have already discussed one key risk – the risk that a hacker could gain access to a system and download our encrypted passwords. The good news is that risk doesn’t exist with a PIN, as the PIN code is typically only stored on the device. It should never be stored in the system database. A PIN is therefore at lower risk of a malicious external hack than a password, providing it is implemented in the correct way.
Another risk is that we sometimes write our passwords down to help us remember them. They are stored somewhere else, potentially less secure, in the worst case on a note next to the computer. Arguably there is no difference here between a PIN and a password as they can both be written down. We know it harder to remember complex passwords though, and we are more likely to make a note if something we can’t remember.
There is also a risk is an imposter may try to ‘guess’ your password. We’ve discussed the probability of that above, and how to make it more secure by limiting attempts etc. Typically the PIN is not the only factor though – the device itself also provides and extra layer of security. With an NHS smart-card, the card gives that added protection as it is something physical you possess. Like a door key or bank card. We call that two-factor authentication (2FA) – in this case something you ‘own’ and something you ‘know’. An imposter cannot gain access without having your card. That extra protection factor allows us to offset the risk of having a simpler password. Guessing a password through trial-and-error is not enough to gain access.
A smart-card is issued to you personally, for your use only. Other personal devices can be used in a similar way. Smart phones and tablets are protected by a PIN code. In many cases they also have biometric chip protection that can be enabled. As with a Chip-and PIN card they are something physical you ‘possess’. If we issue our NHS staff with individual ‘single-user’ devices, we can use the device and a PIN to authenticate the user (2FA). This is more secure than a username and password. I have written a separate blog explaining the advantages that approach would bring.
Anther risk which a PIN can mitigate, is when it is better than the alternative – of no PIN. Again using a banking analogy – we have “tap-to-pay” now where we no longer need to use a PIN to make purchases up to £40. For more expensive purchases we are still required to enter one – as the PIN adds the extra protection factor. Similarly for online purchases the banks introduced the CVC code on the back of the card – and that’s only a 3 digit PIN!
Interestingly we can appreciate now why an assigned 3 digit number might be more secure than a user made up 4 digit PIN. You wouldn’t be able to guess a random 3 digit number correctly 19% of the time!
So, in summary there are 2 scenarios where a PIN code may enhance both security and usability. These are:
- in conjunction with a smart-card or personal device (2 factor authentication)
- if we use a PIN as added protection, on top of existing measures
When would we need to do that in healthcare?
To answer that we need to look at how we use our clinical systems. There are other clinical and security risks we need to consider including In the risk assessment too…
What risks is the PIN addressing?
In NHS hospitals, we have a number of risks around the use of shared devices.
A clinical user (user A) may login to a computer or tablet and then leave it unattended. The user may forget to logout – or consciously decide not to…
I the meantime another user (user B) steps up to the computer. This can be almost as soon as the first user has left. Again consciously or subconsciously they start using the system under the original user’s login.
Believe me this is very common. I confess I do it myself – e.g. if we need to quickly check a patient’s blood result and a colleague is already logged in – we don’t think twice about it. Logging out and back in again takes time. What is the harm in that anyway – we may ask? We are working as a team to care for the patient.
It is true – the risk of patient harm is likely to be low in that particular scenario where we are working as a team. That’s what we do as clinicians – we are constantly doing little risk assessments. If I quickly check this result I can get back to the patient then and devote more time to the things that really matter.
So what risks are we trying to address ?
Well one potential clinical risk of sharing workstations is users can get confused as to which patient record they are looking at, and act on the “wrong patient“. The first user (user A) comes back to the PC and doesn’t notice the patient has been changed by the other user (user B). User A continues where they left off – perhaps they may look up a test result and be falsely reassured – because they are looking at the wrong patient. . Bad things happen. You can see how that might happen.
Another risk is to the integrity of the patient record – especially when you start making entries into the system – as those entries are then recorded against someone else – the “wrong user“. You don’t intentionally set out to do that – it is an unintended consequence of using the system under another user’s login. This can also have clinical consequences.
I used to notice this in radiology. We have a policy of phoning through urgent results. I’d contact the referrer only to be told that they didn’t request the scan – someone else must have ordered it under their login. This is a risk. It is important we know who the referrer is so we can communicate the findings to the right clinical team. We are also required to validate the referrer according to UK legislation (IRMER regulations).
It is difficult to detect these ‘integrity’ issues by looking at the patient record. As far as the system is concerned, it is the original user logged in and all actions are logged against that active user, for the active patient. You need to observe this in practice, as a fly-on-the-wall, to see what is really happening.
As well as the clinical risk, another consequence of ‘wrong patient’ and ‘wrong user’ is that it compromises system security and audit. Security is set at role, user and patient level – so restrictions on access to functionality and specific patients are bypassed if the system is used under another user’ login. Audit trails are circumvented. If you aren’t sure who viewed or entered what into the patient record, it is difficult to get to the bottom of events. This can hamper incident investigations.
For example we found this when we initially deployed our electronic nursing record. We were monitoring the data closely to check for possible errors – e.g. an observation entered that was out of keeping with the rest. Could that have been an observation on another patient, entered by mistake? The ‘wrong patient’. If we were unsure, we would attempt to contact the user that entered the observation to better understand what might have happened – only to discover it wasn’t their entry – it was the ‘wrong user’. Someone else must have entered the observation under their login – and we didn’t know who. We could sometimes work it out from other information in the shifts and handover but it wasn’t easy.
This problem also exists when using a NHS smart card on a shared workstation. This was flagged as an issue during my days working with the national programme. The login procedures at the time were not as seamless as had been envisaged. As a result we had stories of users deliberately leaving their smart card in the reader so everyone could get about their business. The login process was impractical for those working in busy areas and users had come up with a workaround. As they say – “Where there is a will, there’s a way”.
The smart-cards were designed to enhance security. The clinical users were more concerned about delivering patient care. By not taking into account the user’s needs we had inadvertently made our systems less secure that they had been in the first place!
Isn’t this bad practice? Why don’t we simply enforce the rules?
One way of addressing this is by rigorously enforcing policies and procedures. Tell users they have to log out, especially on shared workstations. Hold them to account with zero tolerance. Make examples of them and use disciplinary procedures to deter others.
We do need policies but these can only take us so far. None of us would want to work for an organisation that is uncaring and places more emphasis on targets than patient care. It is also a fact that policies are often used as a surrogate to mitigate the risks of poor system design.
This is a systematic problem – we can mitigate that risk and help enforce the rules by reviewing the system design and usability.
So how does a PIN help here?
A PIN is a simple way to help validate the user, and mitigate the risks. We can ask the user enter a PIN to do specific actions, to help re-confirm their identity. This needs to be a quick and seamless as possible to ensure the system is usable and it does not put undue burden on the staff.
The purpose of a PIN here is to ensure the “user” is the person currently logged into the system – to mitigate the risks of using shared workstations and devices.
We are not fully authenticating the user – we have already done that when they logged in to the system. We are simply doing a quick check to help confirm it is still them. It is an appropriate balance of security as usability.
There are 2 areas where we have implemented the additional PIN code validation:
- On the system privacy screen (enhanced system privacy lock)
- On starting specific activities (action based PIN check)
Enhanced system privacy lock
We implemented this first on our system lock screen – at application level. If you are inactive on the EPR for 5 mins then a privacy screen comes up. This screen now has the dual purpose of hiding the patient data and showing who is logged in. You simply enter your PIN to continue where you left off. As it’s only 4 characters – it’s a quicker than typing your full system password.
The security risks of the PIN are minimal as it is restricted in its use.
- You have 3 attempts to enter your PIN in case you mistype. If you get it wrong you are taken to the system login screen to enter your full credentials.
- The PIN is active only on that workstation, and only as long as the user session remains active. Once the session has ‘expired’ the user is required to log on and enter their full credentials.
The standard session duration is determined by user, role and activity they are performing. By default it is 20 minutes. So the PIN is only active for 15 minutes maximum – on that workstation alone – from when the screen lock lock comes on at 5 mins until the session ends at 20 mins die to inactivity.
If you leave the computer and come back to the screen lock – and see that it is now a different user logged in – then you click the “Log out” button and then log yourself back into the usual way – for us that is using your username and password.
What about the windows lock screen? Doesn’t that do the same thing?
Yes, the windows screen lock is similar but requires your full password, which takes a bit longer to enter. This is a pain if you have to do it repeatedly. Hospitals usually compromise on this and will set a longer time before the Windows screen lock comes on to achieve a balance between security and usability.
We are making a similar balance of security and usability by implementing the screen lock at application level – but instead of lengthening the time before the screen lock comes on, we are using a simpler passcode as we believe that is the lesser risk.
For us, the windows screen lock is also of limited value. This is because historically we have had to make a compromise between security and usability in the busy areas, where the risks of using shared workstation is greatest. In those areas the workstations are set up to use a shared windows login – as it takes too long for each user to keep logging out and back into Windows each time.
This means everyone uses the same generic username and password to open the windows session, and then each user logs in separately into the clinical application. The security and PIN code therefore needs to be at the application level. This is quicker than each user logging into the operating system. It is not ideal to use a generic Windows login but it’s a compromise we and many other organisations have made to keep our services functional.
How does this work if you have more than one EPR window open?
With our EPR, as it is a web based, it is possible to have more than one EPR session active at a time on the same PC. In theory, this means two or more users can use the same workstation at the same time. This can be useful but it is discouraged as it increases the risks of ‘wrong user’ and ‘wrong patient’.
The screen lock helps in this scenario by enabling users to lock their session whilst still keeping it active. We use the F12 key or ‘Lock icon’ button in the application to activate the screen lock when leaving the PC, To unlock, you can quickly enter your PIN to pick up where you left off. If there are 2 or more EPR window sessions active, this helps ensure you reopen the correct one.
Action based PIN check
We also prompt users for their PIN code when starting specific activities. We try to keep that at a minimum as the user has already authenticated by logging into the system.
The action based PIN check is again mitigating the risk that the original user has forgotten to log out or lock their session, and someone else is now using the workstation. As we have the automatic system privacy lock – this can only happen if another user starts using it in the 5 minutes before the screen lock is activated. As discussed this can be quite common in busy clinical areas.
This risk of “wrong user” is more difficult to manage as there is no way for the system to tell it’s not the original user. There are other things we can do such as reducing the amount of computer sharing by providing users with their own personal single-user devices. To completely remove the risk though we would need to remove all computers in shared working areas. That is not a realistic possibility currently.
We therefore require the user to reconfirm their identity before performing some specific actions in the system.
For example you may be asked for your PIN if you are prescribing a transfusion or specific procedures and treatments e.g. radiotherapy, restricted medications etc.
We have designed our EPR forms engine so that a PIN control can be added to any system form. This enables our clinical teams to decide as to whether they wish to include it, balancing the usability and risks.
Similar to the privacy lock screen, if you get the PIN wrong 3 times it logs you out and you need to re-login to continue.
How do users set their PIN?
I mention this as we took a novel approach. You may have noticed that in the screenshots above – we don’t actually ask our users to set their PIN…
As we have an in-house system we have had more flexibility to experiment. We decided to keep this as simple as we could for users by automatically setting the user’s PIN code to be the first 4 characters of their full login password. This means our users don’t have to set and remember a PIN in addition to their password.
An added benefit is if the user is confused and starts to type in their full password it will still work. The user begins typing and after the first 4 characters the system automatically checks and verifies the PIN.
If you are familiar with password security you might wonder how we do that, as user passwords are all encrypted. You shouldn’t be able to work out what the first 4 characters of a user’s password are – that is the point of encrypting them in the first place!
We achieved this by temporarily saving the first 4 characters as a separate encrypted hash when the user logs in. There is no permanent storage of this – it is only saved in memory on the device for the duration of the session. Any PIN check is done against that hash. The hash is automatically destroyed at the end of the session.
Can you confirm the user identity without using a PIN?
There are other ways we can confirm user identity. Some offer further advantages, others are more cumbersome.
We could ask the user for their full username and password, as we do with the windows lock screen. This takes longer to enter and is therefore less efficient. Users do not appreciate being asked to login repeatedly as it adds to the clinician burden.
If you have a NHS smart card Chip-and-PIN you could periodically ask users to re-authenticate by re-entering the passcode. This is an option if your application supports it, and if it is quick and efficient.
If you have truly ‘personal’ single-user devices that are set up for individual use, then you can use the device authentication alone. The risks are mainly around using ‘shared’ devices, so largely go away if you remove that scenario.
There are 3 other alternatives we have looked at to help confirm the identity of the user on shared workstations and devices. Like a PIN code, these can all enhance the security of the system and not unduly affect the user experience.
- Tap and go systems
- Biometric checks
- Confirmation screens
Tap-and-go systems
If you have invested in a “tap and go” system then a quick tap of a card (or token) could be quicker than entering a PIN. This is similar to “tap-to-pay” introduced for low risk payments on bank cards.
There is still the risk with “tap and go” that the user can leave the workstation and forget to log out. None of the systems I’ve seen implemented in the NHS automatically end your session when you walk away from the screen. It is still possible therefore for someone to step in and use the system under your login.
Some “tap and go” systems address that by having your token on an elasticated strap. As soon as you walk away it pings off and suspends the session so someone else can use the device. You often see these in bars and restaurants so staff can share the same till. I have yet to see these trialled in hospitals – I would be interested to know if anyone has?
Biometric checks
Biometrics have become the standard means of authentication on mobile devices, relegating the PIN to a secondary method. Fingerprint or face recognition can be used. These are excellent for personal ‘single user’ devices. Unfortunately they do not typically support multiple users sharing the same device, which is the risk we are trying to mitigate here.
It is possible to deploy biometric readers on shared PC workstations, often as part of a single-sign-on (SSO) authentication system. Again these can add value by simplifying authentication, but they do not mitigate the risk of the user leaving workstation and forgetting to log off. You can’t keep your finger permanently on the button.
That said, if each user has their own individual ‘personal’ single-user device then the risks are fully mitigated. We can then use the inbuilt device biometrics to authenticate the user. If you are interested in reading more about that, please see my separate blog below.
I’m sure systems in future all systems will support simple biometric identity checks for both staff and patients. These should enhance clinical safety, security and usability significantly.
Confirmation screen approach
The third method is the most simple but least secure. We have implemented an easy practical alternative to using a PIN for certain activities. I tried this simpler approach first for radiology requesting. As with the PIN check, we show a screen with the user’s name displayed clearly. We already know who is logged in. Rather than asking the user to enter their PIN to confirm their identity, we simply ask the user to confirm with a single click.
This is a simple honesty check and it is quicker than entering a PIN. Our users aren’t intentionally requesting under another user’s login – it is an unintended consequence of using shared workstations. If users are prompted with this screen we found they will click the “No” button so the request can be entered under the correct clinician.
For this to work it helps if this is made as quick and efficient as possible. In our case, if the user clicks “No”, the system asks for their full login credentials and then allows them to continue where they left off with same patient and screen. If we made the process any more difficult, I suspect it would be less useful as the user may be less inclined to comply.
Conclusion
A PIN code is a valuable addition to an EPR. It can provide a useful compromise between security and accessibility, whether you are using a smart card or not.
Although a PIN code isn’t ‘secure’ on its own, it can enhance security if it is used with 2FA or in specific scenarios. Entering a PIN is quick and effective way to confirm it is the same user logged in, and so mitigate the risk of users forgetting to log out on a shared workstation.
Usability is important factor. Poor usability has a negative effect and can add to the clinician ‘burden’. The NHS security guidance recognises this, and recommends we do appropriate risk balance assessments in determining our local password policies. A PIN code is a practical alternative, if implemented in the ways I have described. In our experience users are willing to support this providing the risk and benefits are made clear.
I have described our implementation as it has had a positive impact for us. The risks have been mitigated. Radiology now find it easier to communicate urgent results as the referrer is more often who the system says they are, which is also a legal requirement. We are more assured in validating data, looking at the system logs and performing incident investigations. We have been able to tighten security without unduly compromising the usability of the system.
Where possible, I recommend the use of single-user personal devices as these can fully mitigate the risk of using shared workstations and devices. If this is not possible, the use of a PIN code or the alternatives of “tap-and-go” system, biometric checks and confirmation screens may all add value as they are quick and simple to use. We hope to experiment more with these in future. I’ll let you know how we get on…
If you are interested in reading more about that, please see my separate blog “Should we issue all NHS staff with ‘personal’ devices?”’.
Reflections of a CCIO 