Share this article on:
While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses.
The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research.
The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password.
Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.
The survey suggests that sharing EHR passwords is commonplace, even though the practice is prohibited by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records on at least one occasion. 57% of respondents estimated the number of times they had accessed EHR information – The average number of occasions was 4.75.
All medical students surveyed said they had accessed EHRs using the credentials of another individual, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were highly varied.
Common reasons for sharing EHR passwords were permissions on the user’s account did not allow them to complete their work duties, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to complete work duties.
The researchers suggest the provision of timely and efficient care is often at odds with security protections. The researchers noted, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”
The researchers made two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”