- A recent study examined the prevalence of password sharing among healthcare providers and found nearly three-quarters of surveyed medical professionals have used another staff member’s password to obtain EHR access at work.
The study by Hassidim et al. was published in Healthcare Informatics Research and assessed survey responses from 299 healthcare professionals including residents, medical students, interns, and nurses.
The research team — including researchers from Harvard Medical School, Duke University, Ben-Gurion University of the Negev (BGU), and Hadassah-Hebrew University Medical Center — found that 73 percent of respondents reported using another staff member’s password to access an EHR at work. Over 57 percent of respondents estimated they have borrowed someone else’s password an average of 4.75 times.
Furthermore, 100 percent of all medical residents reported obtaining another medical staff member’s password with their consent. Seventy-seven percent of medical students and 83 percent of intern groups reported using someone else’s EHR access credentials due to not being administered a user account.
A little over half of surveyed nurses reported using another staff member’s password.
“Unfortunately, the use of passwords is doomed because medical staff members share their passwords with one another,” wrote researchers. “Strict regulations requiring each staff member to have it’s a unique user ID might lead to password sharing and to a decrease in data safety.”
The study demonstrated that the need to fulfill daily clinical and operational processes can prompt staff members to compromise security protocols and practices. For example, higher instances of password sharing occur when students or interns are asked to carry out a task they are not ordinarily authorized to complete.
Specifically, 56 percent of surveyed medical students and nearly 70 percent of interns stated their user access did not offer adequate authorization to fulfill their duties, prompting them to ask for someone else’s EHR access credentials. These frequent instances of password sharing could potentially weaken an institution’s overall level of EHR security.
“As demonstrated by these security incidents, the success of any regulation or technical security mechanism eventually depends on the actions of an organization’s personnel and their cooperation,” stated the report.
“The inherent trade-off between the security and usability of a system may drive users to break security regulations and circumvent security measures in an honest attempt to fulfill their duties,” they continued.
A security breach of a hospital or medical center’s EHR system could negatively impact clinical operations and lead to patient harm in instances where prescriptions or medical devices are affected.
To prevent such incidents, HIPAA requires healthcare organizations enforce security measures and policies that include outlines of each medical staff member’s role and access privileges. Healthcare organizations are also required to establish processes for authenticating the identity of each staff member, control access to data, and audit editing.
“Medical staff must provide timely and efficient care while maintaining patient confidentiality,” wrote researchers. “This may sometimes cause conflict between their duty and their obligation to meet security regulations.”
In response to these findings, researchers offered recommendations to reduce instances of password sharing and strengthen EHR security while streamlining daily clinical and operational tasks.
Researchers first recommended organizations make it easier and faster for medical staff members to obtain EHR access credentials. Researchers especially stressed the need to expedite lengthy registration processes for medical students, interns, and other new employees. Improving EHR usability and allowing for faster, more efficient EHR access could deter security violations.
Additionally, researchers recommended understaffed hospitals delegate administrative tasks and extend EHR system access to para-medicals, junior staff members, interns, and medical students during on-call hours. According to researchers, extending access privileges can lead to less password sharing and improved health data protection.
Finally, researchers advised adding an option for each EHR role granting maximum privileges for one-time use. A senior physician and a protected health information (PHI) security officer would be informed whenever this option is used. The option would allow junior staff members to make urgent care decisions under retrospective supervision while abiding by the facility’s security measures.