- A new study by an international team of researchers found widespread sharing of EHR passwords, putting patients’ personal health information at risk, according to Healthcare Informatics Research.
- The researchers surveyed nearly 300 physicians and clinical support staff using a four-question Google Forms-based survey between January 2014 and January 2015 to gauge the extent they shared EHR access credentials. The survey was published on Facebook and was distributed to healthcare workers via email.
- Of all the respondents, 73.6% reported having received the password of another staff member. Just 171 respondents reported how often they obtained someone else’s password, with average being 4.75 times. All of the residents participating in the study and 57.5% of the nurses admitted using another staff member’s password.
“Our results show that current permission granting and authentication processes might cause more harm than good,” the authors of the study write. “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”
The study underscores a quandary as organizations try to secure an increasing array of digital systems against cyberattacks and PHI theft. “Pressures to succumb to convenience and ease of use are the biggest killers of security,” Robecca Quammen, CEO of MyConsultQ, told Healthcare Dive earlier this year.
According to the Ponemon Institute, 89% of healthcare organizations experienced a data breach in the past two years, and 45% had more than five breaches. The cost to the industry: an estimated $6.2 billion.
With cybercriminals increasingly targeting healthcare, the HHS Office for Civil Rights has pressed organizations to reassess their electronic authentication methods to ensure that someone seeking access to protected health information is who they claim to be. Some security experts believe broader use of multi-factor authentication would further help prevent data breaches.
The researchers make two recommendations. First, usability should be added as a key principle in planning EHR and other PHI records. And second, each EHR role should get an additional option that grants full privileges for one action. This would alert senior-level clinicians and security officers when the option is being used.
“This would allow junior staff to perform urgent, lifesaving decisions without outwitting the EMR, and under formal retrospective supervision by the senior members in charge,” the authors conclude.