This article gives an excellent overview of passkey technology, the current challenges it is facing, and sensible ways forward.
Essential reading for non-experts with an interest in authentication in health:
3 Likes
Even when using passkeys, it sounds like it’s still smart to use a password manager to store your backup passwords. To my mind, using a password manager really is a bare minimum for personal cyber security these days.
Setting them up can take a bit of work though, and people can get confused by all the different options out there. My personal favourite is KeePass, with the keyfile placed in cloud storage so it can be accessed on multiple devices (including work devices). I use this for personal and work passwords (don’t think there is any good security reason why these should be stored in different places, it just makes things harder to use).
When I was at Inland Revenue in 2017 during their business transformation, there was a big push to get staff using password managers - for both personal and work use. A couple of password manager options were made available on work devices. This was a nice way of supporting staff security practices, both at home and in the workplace. I think it would be great if Health NZ did something similar. Even if just 50% of staff were on a password manager, it would probably make a big difference.
The only thing I’m not sure about is security for shared devices in hospitals. What are some good approaches that balance security and usability? I remember reading something about a new solution that involved using swipe cards that unlock devices, this seemed like a good approach. We are developing some cyber security procedures at Health NZ at the moment, so any ideas or insights are much appreciated!
2 Likes
Hey @Chris.Mcdowall,
appreciate I’m dusting off an ancient thread here, but if youre still developing cyber security procedures at Health NZ, I’d love to have a chat.
My wife is a hospital doctor, using shared terminals all day and from what I hear, the reality is that terminals are consistently left unlocked. Many doctors use a device that is already logged in out of convenience, with obvious consequences for traceability/accountability.
I’ve got a personal interest here because I founded SecuriChair, a startup based at UoA building chairs that automatically lock the user’s computer screen when they leave their seat. We’re in use by GPs, but have not been trialled in hospitals yet (although we’d like to)
cheers,
Alex
2 Likes
Kia ora Alex, didn’t see your reply until just now sorry (haven’t been checking my notifications on here)
Since my original post I’ve come across Imprivata’s ‘tap and go’ tool - where staff key cards can be used to unlock individual or shared devices (via a USB card scanner on the device). This was originally adopted at Counties Manukau, and I think other districts may also be looking at it. It certainly addresses the shared device issue. No idea what it costs, or how it measures up with the SecuriChair product.
Cheers, Chris
@Chris.Mcdowall
’Imprivata’ is a great product- was widely used at Canterbury. Works best in a virtual session environment where many staff in a sharing terminals in a busy environment. (Christchurch Hospital Emergency dept loved it - and solves the problem of shared logins.
1 Like
I’ve seen it used in the UK quite a bit, as well as a partial implementation in Southern.
It does look a good product, but I’ve noticed a broad continuum of how good it is in practice. I guess it demonstrates that how a product is implemented is just as important as which product!
3 Likes