EHR password sharing rampant among hospital staffs, study says
Despite all the resources invested in technology to protect the private patient information, a new study spotlights once again the vulnerability of human factors when it comes to healthcare data security.
Healthcare organizations, of course, require unique user IDs for staff members and ensure that medical records are password-protected. But a new report questions how closely guarded those passwords are kept.
In the report, published in Healthcare Informatics Research, academic researchers in Israel (Hadassah-Hebrew University Medical Center, Ben-Gurion University of the Negev) and the U.S. (Brigham and Women's Hospital, Duke University) explored just how common it is for digital patient data to be accessed by people without specified privileges.
"One of the most common breaches of PHI is the use of another’s credentials to access patient information, i.e., the use of the EMR password of one medical staff member by another," they said.
"This kind of act is both unethical and dangerous," they added. "However, the extent of this practice has not been previously assessed. We have tried to determine the scale of this violation by conducting an Internet-based, open survey to assess the prevalence of access credentials sharing among medical and para-medical staff members."
The researchers created a four-question survey that was taken by 299 "medical and paramedical personnel." Each poll-taker was asked whether he or she had ever obtained the password of another medical staff member, and, if so, how many times and why.
The results showed that 220 (73.6 percent) of participants had obtained the password of another medical staff member. Of the 171 respondents who explained how often that had happened, the average was nearly five times.
Fifteen percent of the poll-takers were medical residents (45 in total) and every one of them said they'd obtained the password of a colleague at some point. Of the 66 nurses who took the survey, a bit more than half (57.5 percent) said they'd shared access credentials.
Why would they do this?
"The reason 'I was not given a user account despite having to use the system to fulfill my duties' was significantly more common among students than among non-student (working) staff members," according to the report. "Similar results were found for the reason 'The permissions granted to me did not allow me to fulfill my duties,' comparing students and nonstudent staff members."
The researchers suggested two recommendations: "First, usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records," they said.
Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge."
The challenge to data security, they said, is that medical staff share authorized credentials, even though they know they shouldn't, in the interest of efficiency. It's an "ambivalence that we all share as medical staff," they said. "We know we should not share ACs, but we still do so."
Perhaps an even greater risk, is that "reduction of ethical standards is a contagious behavior," they added. "As medical personnel, we know that sharing PHI is part of medical treatment, mainly when consultant help is required. We are afraid that, while residents share both legitimate information to give the best care to their patients and their ACs to fulfill their duties, there is an increased chance that they will feel free to share more information about their patients that is not simply related to their medical treatment."