Zfania Tom Korach, MD, and Ayal Hassidim, MD, developed an interest in password sharing among physicians during their work in Israel. One weekend, he saw a referral created by a colleague in the electronic medical record (EMR) system. The only problem was, the weekend the referral was written, Dr Hassidim had seen the colleague 200 miles from the hospital where it was issued. He knew had not been working then, so someone else had logged into the system with his password and made the referral under his name.
No one admits to sharing passwords – a distinct and clear violation of HIPAA – but a lot of people seem to be doing it, said Dr Korach, now a post-doctoral fellow in the division of general internal medicine and primary care at Brigham and Women’s Hospital in Boston. He and Dr Hassidim, who is with Hadassah-Hebrew University Medical Center in Jerusalem, Israel, led a study looking at the factors that prompt people to share passwords.
As part of the study, which was published in Healthcare Informatics Research (2017;23:176-182), the researchers spoke with Dan Ariely, a behavioral economist who studies lying and why and how people do it. “We understood that we couldn’t ask someone if they were doing something illegal, so we asked something a little less incriminating and incognito in an internet survey,” Dr Korach said.
Drs Korach and Hassidim settled on asking if the respondents had ever received a password from someone else, and if so, why. Their findings verified their initial hypothesis. Of the 299 surveys gathered, 220 providers (73.6%) had been given a co-worker’s password at some point. Among those who responded to the query about the frequency with which it occurred, it happened, on average, 4.75 times. People receiving passwords tended to be those with less experience. Dr Hassidim said this was not surprising: He received passwords from residents when he was an intern.
Every resident who responded to the survey had obtained another person’s password, whereas only 57% of nurses had. Researchers said it could be understaffing, particularly during on-call schedules that may be resulting in delegation of unusual tasks to junior staff, requiring the granting of privileges they do not usually have.
“The use of unique user IDs and passwords to defend the privacy of medical data is a common requirement in medical organizations,” investigators concluded. “Unfortunately, the use of passwords is doomed because medical staff members share their passwords with one another. Strict regulations requiring each staff member to have it’s a unique user ID might lead to password sharing and to a decrease in data safety.”
Among students, more than three-quarters said they were not given user information even though they needed to get into the electronic medical record (EMR) to complete their duties. More than half said the permissions they had were not sufficient for their work tasks. The interns received passwords for those same issues 83% and 69% of the time, respectively.
“It turned out there were systematic factors to push people to do this,” Dr Korach said. “These may not be exact numbers … but we exposed a pervasive issue across care settings, roles and professions, with certain challenges that exist in the EMR processes.”
Dr Korach said this highlights the difference in how organizations design their workflow and allot privileges. Physicians share passwords because the computer is the means to an end. If it stands in the way of completing a task, “most physicians are dedicated to their work and will work around the computer system and figure out how to get there.”
“It may be done with good intentions, but the password is like our signature, and the clinicians are held accountable for anything that is done under their name,” Dr Korach said.
Fixing the problem
The study authors acknowledge that health care organizations will probably only tighten security if they know that providers are sharing their passwords. But Drs Korach and Hassidim said that would be a mistake. Making passwords more difficult does little good if someone is just going to share it with other people, they noted.
In addition, implementing additional barriers like biometric or multi-factor authentication will likely only increase users’ needs and personal justification for work-arounds. If accessibility is too hindered, the article noted, providers may begin to “feel that the right thing to do is to violate the security regulations altogether.”
Organizations have to begin by looking at their systems to understand the expectations of each level of staff, then ensure that their credentials allow them to complete their work.
The study authors also recommend making it simpler and quicker for new staff members, interns, and medical students to obtain their credentials. This should obviate the need for password sharing.
Finally, the researchers recommend creating an option whereby staff can have one-time maximum privileges in case of an emergency (sometimes referred to as “break the glass). For instance, if a trauma patient comes into the emergency department, a physician may quickly need access his entire medical record.
“For that specific situation, it’s good for the EMR to have a big, red button to say, ‘This is an emergency,’” Dr Hassidim said.
He stresses this would be a tool used in extreme cases and should be retrospectively monitored by administrators. A similar override of sorts could also be used in times of greater workload or during on-call hours when people may need to perform tasks not typically in their job description.
“You could give people extra options at that time,” Dr Hassidim said. “You will have to take time and think about how the workload flows.”
They also urge clinicians to be more proactive in a situation if they see an issue in their own practice. “If you notice the current privileges don’t suit the workload, say something and ask them to change it,” Dr Hassidim said. “It reflects a systematic problem in the organization.”
Hassidim A, Korach T, Shreberk-Hassidim R, et al. Prevalence of sharing access credentials in electronic medical records. Healthc Infom Res 2017;23:176-182.