Security threat: Most medical professionals have used someone else’s EMR password, study finds

A stethoscope on a computer keyboard
A new study finds many medical professionals share passwords to access medical records, putting health information technology systems at risk. (Getty/anyaberkut)

A new study is likely giving the folks in charge of privacy and security at healthcare organizations fits.

The study (PDF), published in Healthcare Informatics Research, found that nearly three-quarters of medical professionals (73%) said they have used another staff member’s password to access an electronic medical record (EMR) at work. The biggest culprit? Medical residents. All of the residents in the survey (100%) said they had at one time used someone else’s password with their consent.

With or without consent, sharing passwords is a security risk.

Researchers surveyed 299 medical professionals, including residents, medical students, interns and nurses to see how common it was for them to share passwords. More than 57% estimated they have used someone else’s password an average of 4.75 times.

Among students and interns, 77% and 83%, respectively, said they used someone else’s password because they were not given a user account. The other main reason for using someone else’s credentials? They had inadequate permissions to fulfill their duties. Nurses (57.7%), who are more likely to have the privileges they need to perform their jobs, were least likely to use someone else’s password.

“The strength of an information security system is determined by the strength of its weakest link,” author Florina Uzefovsky, Ph.D., an associate professor of developmental psychology at Ben-Gurion University of the Negev, said in an announcement.

“Even a single breach may render an information system ineffective.”

HIPAA requires healthcare organizations to establish security policies that specify access privileges for workers and a way to authenticate the identity of each person who uses the electronic medical records. Using strong, hard-to-guess passwords is one way for healthcare organizations to protect against cyber attacks.

The researchers offered three recommendations to healthcare organizations:

  • Make it easier and less time-consuming for workers to attain access credentials.
  • Delegate administrative tasks and extend EMR access to para-medical, junior staff, interns and students in understaffed hospitals, especially during on-call hours.
  • Allow maximum privileges for one-time use only, so junior staff can access records under urgent, lifesaving conditions without having to use someone else’s password.