Out of Control security Controls

My wife is a freshly minted doctor, and part of her residency involves working one day per week at a clinic that’s in a health system other than where she “normally” works.  The day of the week changes every week.

Recently, the health system added a new security control — they lock out all accounts that haven’t been used in the past seven days.  This means that approximately every-other-week she is locked out and needs to contact the helpdesk before she can see her first patient of the day.

Frustrated by the situation, my wife asked the local IT helpdesk for help.  The helpdesk offered her a solution: give one of the nurses her password so the nurse can log in a few times a week so her computer doesn’t get locked out.  The nurse, who was physically present during this interchange, objected strongly. Not for security reasons, but because she had better things to do.

My wife’s plan is to call the helpdesk every time she’s driving to the clinic to request that her computer be unlocked whether it’s locked or not.

Aye aye aye.

I think we all know those seemingly arbitrary numbers for password length, complexity, and expiration have consequences… but pick those numbers carefully, lest we waste countless hours of time — or lest people work around the system.