Survey: 73 Percent of Medical Professionals Share Passwords to Access EHRs

A recent study examining the prevalence of password sharing among healthcare professionals found that 73 percent of medical staff members reported having used another medical staff member’s password to access electronic health record (EHR) systems at work.

The study, conducted by Ayal Hassidim, M.D., with Hadassah-Hebrew University Medical Center, department of plastic surgery, in Jerusalem and published in the Healthcare Informatics Research, was based on the survey responses from 299 medical residents, interns, medical students and nurses. The researchers noted that trust is one of the pillars of physician-patient interaction and protecting the confidentiality of patient data is an important concern for healthcare organizations. Yet, the researchers concluded from the study findings that current permission granting and authentication processes might cause more harm than good.

Confidentiality of health information is an important aspect of the physician-patient relationship and the use of digital medical records has made data much more accessible. To prevent data leakage, many countries have created regulations regarding medical data accessibility which requires a unique user ID for each medical staff member and a password.

The research team on the study, which  included researchers from Harvard Medical School, Duke University, Ben Gurion Univeristy of the Negev and Hadassah-Hebrew University Medical Center, noted that one of the most common breaches of protected health information (PHI) is the use of another’s credentials to access patient information, yet the extent of this practice has not been previously assessed. The researchers conducted a four-question, Google Forms-based survey of medical staff to assess the prevalence of access credentials sharing among medical and para-medical staff members.

The study findings indicate that the majority (73 percent) of respondents reported using another staff members’ password to access the EHR. What’s more, 57 percent of respondents could estimate  how many times it happened, with an average estimation of 4.75 episodes.

All the medical students who took part in the survey (15 percent of respondents) had obtained the password of another medical staff member, while only 57 percent of nurses reported this.

The research team also asked respondents why they had been given the access credentials (passwords) of another medical staff member and what their role was when they received the passwords, and their answers were varied, the researchers wrote in the study.

One answer respondents gave was, “The worker wanted to perform actions while away,” and “Technical malfunction preventing me from using my own account.” In addition, respondents answered, “A limitation of the computer system forcing me to use the other worker’s account in order to fulfill my duties.” And, respondents also said, “I was not given a user account despite having to use the system in order to fulfill my duties,” and “The permissions granted to me did not allow me to fulfill my duties.”

While the protection of PHI credential is a major concern for healthcare organizations, medical staff members must provide timely and efficient care while maintaining patient confidentiality. “This may put medical staff members in a conflict between their duty and their obligation to meet security regulations,” the researchers wrote.

The researchers concluded that the use of unique IDs and passwords to defend the privacy of medical data is a common requirement in healthcare provider organizations. However, the use of passwords is “doomed,” the researchers wrote, because  medical staff members share their passwords with one another. “Stiff regulations requiring each staff member to have a unique ID might lead to password sharing and to a decrease in data safety,” the researchers wrote.

Drilling down further, the researchers note that the current study findings emphasize that increased awareness of the issue is needed to improve electronic medical record (EMR) systems and the security of PHI. The researchers call for two recommendations. First, usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records, along with the three other principals, confidentiality, integrity and availability. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action, the researchers wrote. “When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge,” the researchers wrote.