Survey Reveals Sharing EHR Passwords is Commonplace
While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses.
The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research.
The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password or alternate – but equally effective – authentication method.
Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.
The survey suggests that sharing EHR passwords is commonplace, even though the practice is prohibited by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records on at least one occasion. 57% of respondents estimated the number of times they had accessed EHR information – The average number of occasions was 4.75.
All medical students surveyed said they had accessed EHRs using the credentials of another individual, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were highly varied.
Common reasons for sharing EHR passwords were permissions on the user’s account did not allow them to complete their work duties, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to complete work duties.
The researchers suggest the provision of timely and efficient care is often at odds with security protections. The researchers noted, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”
The researchers made two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”
Sharing EHR Passwords – FAQs
Where in HIPAA does it prohibit sharing EHR passwords?
Under the Technical Safeguards of the Security Rule there is a section relating to access controls (§164.312). Within this section Covered Entities must implement procedures “to verify that a person or entity seeking access to electronic protected health information is the one claimed” and “assign a unique name and/or number for identifying and tracking user identity”. If employees are sharing passwords with interns, medical students, and nurses, Covered Entities are not complying with the verification requirement and cannot track user identity.
What alternate authentication methods exist in addition to usernames and passwords?
In the HHS´ Guide to the Technical Safeguards, three options are suggested for authentication methods – a method that requires something only known to the individual (i.e., a password or PIN), that requires something the individual possesses (i.e., a smart card or key), or that requires something unique to the individual (i.e., a fingerprint or iris scan). Therefore, any method that complies with the access control requirements mentioned previously can be used instead of passwords, but in each case the user must be assigned a unique name and/or number.
Does HIPAA require multi-factor authentication?
Multi-factor authentication (MFA) is an option for complying with the Technical Safeguards of the Security Rule; but, as HIPAA is technology-neutral, it is not a requirement of HIPAA. Covered Entities can choose to implement MFA as a standalone authentication method alongside an identifying name or number, or implement MFA to better protect login credentials consisting of usernames and passwords against brute force attacks and phishing. Indeed, many Covered Entities already use MFA to comply with the Payment Card Industry Data Security Standard and the DEA´s e-Prescribing Rules.
How often should passwords be changed in the EHR system?
Recommended EHR password best practices are the same as for accessing databases and other directories containing ePHI. Therefore – according to the guidance of the National Institute of Standards and Technology – it is not necessary to enforce periodic password changes. NIST recommends passwords should only be changed when there is evidence that passwords have been compromised or shared among healthcare workers, students, and other employees.