This appeared last week:
73 Percent of Medical Professionals Share Passwords for EHR Access
A vast majority of surveyed medical professionals and students report having used another staff member’s password for EHR access.
By Kate Monica
September 26, 2017 - A recent study examined the prevalence of password sharing among healthcare providers and found nearly three-quarters of surveyed medical professionals have used another staff member’s password to obtain EHR access at work.
The study by Hassidim et al. was published in Healthcare Informatics Research and assessed survey responses from 299 healthcare professionals including residents, medical students, interns, and nurses.
The research team — including researchers from Harvard Medical School, Duke University, Ben-Gurion University of the Negev (BGU), and Hadassah-Hebrew University Medical Center — found that 73 percent of respondents reported using another staff member’s password to access an EHR at work. Over 57 percent of respondents estimated they have borrowed someone else’s password an average of 4.75 times.
Furthermore, 100 percent of all medical residents reported obtaining another medical staff member’s password with their consent. Seventy-seven percent of medical students and 83 percent of intern groups reported using someone else’s EHR access credentials due to not being administered a user account.
A little over half of surveyed nurses reported using another staff member’s password.
“Unfortunately, the use of passwords is doomed because medical staff members share their passwords with one another,” wrote researchers. “Strict regulations requiring each staff member to have it’s a unique user ID might lead to password sharing and to a decrease in data safety.”
The study demonstrated that the need to fulfill daily clinical and operational processes can prompt staff members to compromise security protocols and practices. For example, higher instances of password sharing occur when students or interns are asked to carry out a task they are not ordinarily authorized to complete.
Specifically, 56 percent of surveyed medical students and nearly 70 percent of interns stated their user access did not offer adequate authorization to fulfill their duties, prompting them to ask for someone else’s EHR access credentials. These frequent instances of password sharing could potentially weaken an institution’s overall level of EHR security.
“As demonstrated by these security incidents, the success of any regulation or technical security mechanism eventually depends on the actions of an organization’s personnel and their cooperation,” stated the report.
“The inherent trade-off between the security and usability of a system may drive users to break security regulations and circumvent security measures in an honest attempt to fulfill their duties,” they continued.
Lots more here:
https://healthitsecurity.com/news/73-percent-of-medical-professionals-share-passwords-for-ehr-access
The bottom line is that we need quicker, easier and effortless ways to securely authorize system access. Can that be all that hard?
David.
David, it will remain hard until the dinosaur vendors either change the way their archaic systems work (i.e. introduce biometrics, proximity etc), or purchases begin to demand better user experiences, including log in and auto log off. Security in healthcare is still very much a second class citizen.
ReplyDeletePaul, perhaps Security need to learn how to become a partner with an uncontrollable future. We may be able to do this by paying more attention to shaping patterns. The ADHA has simply created a cyber security viewpoint, by nature a technical focus. Information to be useful to health professionals needs to be both protected and accessible.
ReplyDeleteIt has been many years since anyone was bold enough to attempt to facilitate open and frank national dialogue on what access, privacy and security might emerge as in Australian healthcare.
The current narrative seems to be more focused on risk transfer and ... covering