Current Security Approaches May Encourage EMR Password Sharing

Posted on October 19, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

In theory, you want everyone who accesses a patient’s health data to leave a clear footprint. As a result, it’s standard to assign every clinician using EMR data to be assigned a unique user ID and password. Most healthcare organizations assume that this is a robust way to document who is using the system and what they do when they’re online.

Unfortunately, this may not be the case, which in turn means that providers may know far less about health data users than they think. In fact, this approach may actually undermine efforts to track health data access, according to a new study appearing in the journal Healthcare Informatics Research.

The researchers behind the study created a Google Forms-based survey asking medical and para-medical personnel whether they’d ever obtained another medical staff member’s password, and if so, how many times and what their reasons were.

They gathered a total of 299 responses to their questions. Of that total, 220 respondents (just under 74%) had “borrowed” another staff member’s password. Only 57% answered the question of how many times this had happened, but among those who did respond the average rate was 4.75 episodes. All of the residents taking part had obtained another medical staff member’s password, compared with 57.5 percent of nurses.

The reasons medical staffers gave for sharing passwords included that “I was not given a user account despite having to use the system to fulfill my duties.” This response was particularly prevalent among students. Researchers got similar results when naming the reason “the permissions granted to me did not allow me to a fulfill my duties.”

Given their working conditions, it may be hard for medical staff members to avoid bending the rules. For example, the authors suggest that doctors will at times feel compelled to share password information, as their duties are wide-ranging and may involve performing unplanned services. Also, during on-call hours, interns and residents may need to perform activities that require them to use others’ EMR account information.

The bottom line, researchers said, is that the existing approach to health data security are deeply flawed. The current password-based approach used by most healthcare organizations is “doomed” by how often clinicians share passwords, they argue.

In other words, putting these particular safeguards in effect may actually have the paradoxical effect. Though organizations might be tempted to strengthen the authentication process, doing so can actually worsen the situation by encouraging system workarounds.

To address this problem over the long-term, widely-accepted standards for information security may need to be rethought, they wrote. Specifically, while the ISO standard bases infosec on the principles of confidentiality, integrity and availability, organizations must add usability to the list. Otherwise, it will be difficult to get an-users to cooperate voluntarily, the article concludes.