Security threat: Most medical professionals have used someone else’s EMR password, study finds

A stethoscope on a computer keyboard
A new study finds many medical professionals share passwords to access medical records, putting health information technology systems at risk. (Getty/anyaberkut)

A new study is likely giving the folks in charge of privacy and security at healthcare organizations fits.

The study (PDF), published in Healthcare Informatics Research, found that nearly three-quarters of medical professionals (73%) said they have used another staff member’s password to access an electronic medical record (EMR) at work. The biggest culprit? Medical residents. All of the residents in the survey (100%) said they had at one time used someone else’s password with their consent.

With or without consent, sharing passwords is a security risk.


13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

Researchers surveyed 299 medical professionals, including residents, medical students, interns and nurses to see how common it was for them to share passwords. More than 57% estimated they have used someone else’s password an average of 4.75 times.

Among students and interns, 77% and 83%, respectively, said they used someone else’s password because they were not given a user account. The other main reason for using someone else’s credentials? They had inadequate permissions to fulfill their duties. Nurses (57.7%), who are more likely to have the privileges they need to perform their jobs, were least likely to use someone else’s password.

“The strength of an information security system is determined by the strength of its weakest link,” author Florina Uzefovsky, Ph.D., an associate professor of developmental psychology at Ben-Gurion University of the Negev, said in an announcement.

“Even a single breach may render an information system ineffective.”

HIPAA requires healthcare organizations to establish security policies that specify access privileges for workers and a way to authenticate the identity of each person who uses the electronic medical records. Using strong, hard-to-guess passwords is one way for healthcare organizations to protect against cyber attacks.

The researchers offered three recommendations to healthcare organizations:

  • Make it easier and less time-consuming for workers to attain access credentials.
  • Delegate administrative tasks and extend EMR access to para-medical, junior staff, interns and students in understaffed hospitals, especially during on-call hours.
  • Allow maximum privileges for one-time use only, so junior staff can access records under urgent, lifesaving conditions without having to use someone else’s password.

Suggested Articles

A Kansas psychiatrist has lost his medical license after he allegedly had sex with a patient and more news.

Global private equity interest in healthcare continues to surge with deal activity hitting record levels in 2018.

The Trump administration has unveiled a new set of payment models aimed at boosting value in primary care, which it plans to launch next year.