written by Brendan Pugh
In multi-user/multi-computer environments, the application of HSE security policy can in certain circumstances be a hard ask if approached in a strictly literal manner. A classic example of ‘one size does not fit all’ is that element of policy dealing with the limited use of "generic" domain accounts (accounts used to log on to a domain that are not associated with/owned by a specific person). The challenges faced by one of our critical front line hospital departments, highlighted the need for a flexible yet risk-aware adjustment, to the practical application of policy.
The hospital department’s personnel need to access a small shared group of computers for their routine work and this is typically done on a first-come first-served basis. When dealing with patients, it is a frequent requirement to access online medical resources (e.g. drugs cross-reference material). When signed in with the generic account, internet access is not possible as dictated by security policy. The result is that team members tend to sign in with their individual domain accounts which does allow them access to the necessary online resources. What then tends to happen is that the team member in question vacates the computer while leaving him/herself logged on. The machine will invariably be used by another team member almost instantly and that person will, for reasons of expediency, not wish to log off and on again in their own name but rather will be inclined to simply use the open machine under the first team member's account.
The Department’s team would have made 2 distinct points in favour of addressing this problem by relaxing the controls on the generic account as follows:
- The urgent nature of the job does not allow for frequent logging on and off of individual domain accounts. The instantaneous accessing of online data has to be viewed as being the paramount requirement
- The re-use of colleagues’ logon sessions is recognised as not being satisfactory as it too runs contrary to policy.
Security Matters Arising
The potential pitfalls of using a generic account for internet access centres around the identification of who accessed what and when. This would be of most significance when conducting investigations into inappropriate online behaviour. The flip side of the problem is that if a user cannot be identified then, by definition attention remains on the team as whole and this could prove to be contentious in its own right.
The Department heads undertook to assume collective responsibility for the use of the generic account. Since the computers in question would be within open sight, it was felt that the monitoring of activity on them would be straightforward. It was also pointed out that staff rostering details coupled with security cameras in the department would assist with investigations into inappropriate use.
At corporate governance level, it was agreed that reports on blocked access attempts by staff would be generated at regular intervals and that these would be evaluated by the hospital to determine if any action was required.
On the basis of commitments given, it was decided to open internet access on a group of 8 machines in the Department. This was accomplished through the creation of a dedicated domain group for these computers and the application of a new domain policy against that target group.
While it would hold true that the principle behind HSE security policy should always have universal application, the reality in terms of impact on key operational areas will sometimes call for a common sense intervention so as to ensure that the core objective of delivering care to patients is achieved.
In the case of the hospital department, a relatively straightforward accommodation has resulted in a small yet helpful adjustment to the staff's interaction with the I.T. systems which they need to carry out their work as effectively as possible.