Blog Posts

Usability and cybersecurity: A careful balance

By Brian Montgomery 09/28/2023

Consider the security of a house. There may be one large system protecting the exterior, with locks on each door inside to protect different rooms. If it was completely locked down, navigating through the house would prove difficult. Unlocking each door along your journey would be cumbersome and inefficient. However, if each door was unlocked—including the one to the outside—it could prove unsafe. In this scenario, the tradeoff is clear: the more usable something is, the less secure it can be.

But what if we were considering the security of a hospital instead of a house? Patient data, for example, is essential to the daily work of the staff. However, it’s also incredibly valuable to those who want to steal it. So, what method works for both staff and security to protect this valuable information while keeping it usable? A couple things to consider: The financial concerns need to be weighed since we know hospitals are running on tighter budgets with more limitations. More protection unfortunately also leads to a higher cost, so affordability is often a priority when choosing security measures. Staff burnout is also an important consideration because tight security generally trades off for more complicated log-in measures, which can lead to frustration.

Unfortunately, there is no perfect answer for cybersecurity measures in healthcare, only that each organization must find its own individual balance between usability and security. While security measures generally make items less convenient to access, the security industry is committed to making this burden as unobtrusive as possible to users.

For instance, the security concept of “Zero-Trust” is built on the premise that there is no “trust” between devices on a network. In a hospital setting, this concept, while one of the most secure, can render the daily work of staff members almost unbearable. Though, instead of requiring staff members to type in a long/complex password into every network-connected device in an office (of which normally average in the teens or more), they can be outfitted with a secure badge that performs authentication at each station with just a simple tap. Thus, while there is a small inconvenience of needing to tap a badge, the security of the hospital and its devices are greatly improved. Of course, if staff members are badging in, there must be a tap-out measure to securely leave computers unattended. While this does add an extra step, it is less cumbersome than having to hit “control + alt + delete” and ensures data is protected. Therefore, a badge-in-badge-out, Zero-Trust security system can result in a healthy balance between usability and cybersecurity.

Just like a house, organizations must find the right balance between being secure and being usable. It can be tricky, but protection is paramount when it comes to patient data and other valued resources. At Altera, we’re committed to bringing next-level healthcare delivery within reach. To continue learning about how Altera is a part of the conversation, click here.

About the author:

Brian Montgomery

Brian Montgomery is a Senior Security Engineer on Altera’s internal penetration testing team. An ex-hacker for the U.S. Army and the National Security Agency, Brian obtained his Master’s degree in Cybersecurity Studies and has obtained several technical certifications including CISSP, GPEN, CEH, and Pentest+. Brian has a passion for helping spread awareness of cybersecurity and its related issues by focusing on the cybersecurity industry from the mindset of a hacker. With this mindset, Brian works on Altera’s internal penetration testing team improving Altera’s security posture and maturing its offensive cybersecurity capabilities.