Sharing EHR Passwords Amongst Staff – Why?

Security breaches make headlines almost every day and it seems that the situation grows worse with each incident. The healthcare industry is not very different from the norm. Why do we continue to see security problems in spite of investing so many resources?

The sad answer to this question is pretty simple – the human factor. All the technology in the world cannot protect against human behavior like writing down passwords on Post-it notes, using the same password for all websites and so on. The situation is no better when it comes to accessing EHRs systems and patient data.

EHRs Password Sharing

Practically everyone knows not to share their passwords with friends, family or colleagues. Yet the practice of sharing passwords is very common in most clinical settings. Why do doctors, nurses and students do this? There are many reasons why this happens, so let’s look at a few of them and how they can be addressed.

No User Accounts

Sometimes people do not have a specific user account assigned to them even though they require access to be EHR to complete their jobs. The situation is much more common in medical schools and teaching institutions. Quite often, students are not assigned specific accounts each means that they have to share passwords for certain tasks.

Rights Do Not Correspond with Duties

In some situations, people have user accounts but they do not have sufficient privileges to fulfill their tasks. It is a sound principle of IT security to restrict access for different user accounts. For instance, not everyone should have administrative privileges to the system. Unfortunately access rights for user accounts are often not well thought out when deploying new software. It means that professionals may not have all the rights required by their job responsibilities. What else can you do other than borrow someone else’s password?

All in the Name of Efficiency

Users are always encouraged to use long passwords with different numbers, symbols and other characters. Unfortunately it also means that we tend to forget passwords from time to time. Issuing another password or resetting it is not always a straightforward process. It is no wonder that users share their passwords with colleagues to help them out in situations like this.

Sharing EHR passwords is inevitable because of the way the EHRs is designed. Some systems make the process of logging in and logging out so long and cumbersome that people don’t bother. In many medical situations, time is of the essence and no one wants to waste precious minutes waiting for the system to come online.

Sharing passwords with colleagues poses many risks to a practice. It is unethical, dangerous and severely compromises the safety of patient health information. It is unethical because users who do not have sufficient privileges are able to view sensitive data by using other people’s passwords. If the same password and user account is shared between two or three users, it becomes difficult to ascertain the audit trail for changes. You cannot be sure who made the change to a particular patient’s file, resulting in legal problems down the road.

What Can We Do?

The biggest issue to address here is the fluid nature of users within an EHR system. Even in a smaller practice, user roles can change in a matter of days. Some people need temporary access while others need restricted access. Managing user accounts – creating and deleting them as necessary – is almost a full-time job, especially in large organizations. However it should be done properly. User accounts and passwords should be checked to ensure that only people authorized to have access are using them.

EHRs should be designed in such a way that switching user accounts on a device is seamless and as instantaneous as possible. Cloud-based EHRs software is becoming more popular every day. It allows users to access the system from multiple devices. However there should also be an option for the user to see which devices are logged in at any one time. They should be allowed to logout from other sessions remotely so that others do not accidentally use their accounts. EHR password sharing is a very common practice but we can shut it down with simple measures, including user awareness and training.