Enduring the Endless Password Shuffle in Radiology

I just replaced the TV that came with my house. It was a formidable beast back in its day (pre-2015), but the thing was overdue to go. It was old enough that, with a 65-inch screen, it took up about as much space as — and probably weighed more than — the 85-inch device that now sits in its place.

The folks selling the house left it, as much as for any other reason, because taking it down from the wall and hauling it away would have been too much of a chore. That was also why I kept dragging my feet in replacing it for the past decade. I had plenty of time to dream about all of the technological updates that I would be enjoying when I finally got around to upgrading. Front and center were the perks of a “smart TV.”

I wasn’t super well-versed in what those perks actually were, and I didn’t really need to be. More fundamental specs were front and center for me in terms of resolution, refresh rate, etc. Still, I liked the idea that I would be able to wirelessly project cell phone or PC screens to the TV, directly use streaming services rather than go through my cable box or video game console, etc. Plus, as cutting-edge tech, it would know what I wanted and make it happen with nary a moment’s effort.

Well, that is not quite true for that last bit. The gizmo certainly has capability to do these things, but there is some learning to be done regarding where various menus are and what devices can be “seen” by the TV. For instance, plugging my DVD drive directly into it with the drive’s USB is a no-go. The TV wants HDMI or it will disregard the drive.

Then one enters the identity verification maze, especially when it comes to wireless connections or making two different accounts “talk” to each other, such as Samsung and Hulu.

Once upon a time, it was possible to go through life with few if any passwords. As a kid, I had none at all. Then ATMs became a thing and memorizing a 4-digit PIN entered the picture. That wasn’t a big deal, and the same code could be used for other things, like when telephone answering machines could be accessed via touch-tone call for checking messages when you were away.

Fast forward to today when there are different rules for every password you have in terms of how many numbers, letters, and “special characters” required, how frequently you have to change the PW, and whether or not you can ever reuse a PW from the past. Even if you like a word or two enough to commit to memory, it won’t fit the rules for more than a few of your accounts.

You wind up either maintaining a little notebook to keep track of it all or throwing your hands up and handing it over to a third-party password manager. Outfits like Google have gone so far as to “suggest” random character sequences that they will remember for you, and most users reflexively click on the “accept” button without writing down their own password. They wouldn’t be able to cough it up with any amount of effort if the managing entity failed or went away.

Maybe at some point this was all supposed to improve security, but I think that ship sailed a long time ago. All it does now is screen out the least capable, most unmotivated crooks.

Hardly a week goes by without a headline about some big-deal security breach and thousands, even millions, of accounts’ information being plundered. The fixes include creating a bunch of new passwords, and settlements covering “identity protection” services. One is supposed to believe that these third parties (including the ones storing the new passwords that many fed-up users can’t be bothered to remember) will somehow do better than the agencies that were just breached.

Health-care information is, of course, way up there in terms of what is supposed to be safe/secure. You can’t be in this field for more than a few days without having the fear of God put into you regarding HIPAA. The more you use computers for your work, the more gatekeeping you encounter. If rads aren’t the most impacted, we are right up there.

The game with logging in — and staying logged in — to do your routine work differs from one facility to the next. It is probably not enough for clear winners and losers in terms of security but certainly in terms of hassle-factor for the rads who have to jump through all the hoops. My current situation has me 1) Logging into my workstation at the beginning of the day, 2) Logging into the VPN, and 3) Logging into the PACS/RIS.

At any point during this, the underlying Microsoft account might decide it wants me to log into it again, which requires me to prove who I am via an “Authenticator” app. That is not even on my workstation. I have to get out and fiddle with my cellphone to appease the workstation.

It won’t surprise anybody who’s dealt much with Microsoft to know that it can be erratic, sometimes butting in during a workday to insist that you drop everything and reauthenticate. Plus, God forbid you have to reboot your machine for any reason, or step away from it longer than it thinks should be allowed. Then you get to do your beginning of the day routine all over again.

None of this is heavy lifting of course. It’s just a bunch of silly little steps that, as I mentioned above, never seem to quite render things really secure. Sooner or later, some careless individual leaves their workstation logged in or some miscreant hacks into the system, and calamity ensues. The solution? Another layer of fallible “security” becomes mandated for everyone.

One former employer of mine had a nice, tidy solution with a fingerprint reader that you would just touch, and it would satisfy whatever security systems needed to be in place. It probably won’t surprise you that some bit of software or other turned out to be incompatible with it, and the brief Golden Age of Fingerprint Authentication was a thing of the past.

I have dreamt of having an old-timey metal key to be inserted in a workstation and turned just like opening the front door of your home or starting your car (before keyless car fobs took away that satisfaction). Yes, of course there are ways that criminals can get around keys but if our choice is between a simple, one-step security measure that isn’t foolproof versus a complex, multilayered system that isn’t foolproof either, maybe it would be okay to opt for the former.