While data on password sharing in healthcare is restricted, one survey suggests sharing EHR passwords is a regular occurance, especially with interns, medical students, and nurses.
The research was carried out by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also included researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was sent to on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently revealed in Healthcare Informatics Research.
The data stored in EHRs is sensitive and must be safeguarded. Regulations such as HIPAA control access to that data. All people that require access to the information in EHR systems must be given a unique user ID and password.
Any efforts to access protected health information must be recorded to allow healthcare groups monitor for unauthorized access. If login details are shared with other individuals, it is no longer possible to accurately save which individuals have seen health data– a violation of HIPAA Rules. The researchers remarked that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.
The survey implies that sharing EHR passwords happens regularly, even though the practice is not allowed by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records at least once. 57% of respondents estimated the amount of times they had accessed EHR information – the average number of occasions was 4.75.
All medical students surveyed said they had logged onto EHRs using the credentials of another person, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so ranged a lot.
Common reasons for sharing EHR passwords were permissions on the user’s account did not permit them to complete their work duties, technical issues prevented them from using their own credentials, and personal logins had not been assigned, even though EHR access was required to complete work tasks.
The researchers suggest the provision of timely and efficient treatment is often at odds with security protections. The researchers said, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”
The researchers issued two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”