The electronic health record (EHR) is significant for data processing, communication, confidentiality, and legal matters. It contains medical data that is extracted during the medical chart review process. The quality of the medical record indicates the quality of care patients receive. Given the importance of medical records, they need to be protected from data breach and loss of confidential PHI (Protected Health Information). Unfortunately, security threats for healthcare data continue to grow which are attributed to glitches in technology as well as human factors. We hear of ransomware attacks on provider networks, which put patient data security and patient safety at risk. Therefore, healthcare organizations must invest in technology that protects patient information, and work to keep their networks, connected devices, and all endpoints secure.
A new study throws light on the susceptibility of human factors when it comes to the security of healthcare data. One of the major concerns in this regard is the use of passwords. Typically, healthcare entities use unique user IDs for staff members and ensure that the medical records are password-protected. But how safeguarded are those passwords? In the above mentioned study published in Healthcare Informatics Research, academic researchers found that one of the most common breaches of PHI is the use of the EMR password of one medical staff member by another. For the study, the researchers created a 4-question survey that was taken by 299 medical and paramedical personnel. The results showed that 220 (73.6%) of participants had obtained the password of another medical staff member. Of the 171 respondents who explained how often that happened, the average was nearly five times. 45 of the poll-takers were medical residents that made up 15% of those surveyed. They said they had obtained the password of a colleague at some point. Of the 66 nurses who participated, slightly more than half, i.e., 57.5% said they had shared access credentials.
Password sharing was resorted to because:
- Users were not given a user account even though they were required to use the system to fulfil their duties – this reason was more common among students than non-student working (staff) members.
- Another reason quoted was that the permissions granted to them did not allow them to fulfil their duties – this reason also was more common among students.
The study team suggested the following recommendations:
- Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records.
- An additional option should be included for each EMR role that will grant maximum privileges for one action. When this option is used, the senior physician or the PHI security officer would be informed. This would enable junior staff to perform, urgent, life-saving decisions without compromising the EMR and under the formal supervision of senior members in charge.
Typically, medical staffs share passwords and other authorized credentials with a view to increase efficiency. Sharing PHI is part of medical treatment, especially in cases where consultant support is required. Data security threat exists because there is always the possibility that more information about the patients (not related to their medical treatment) may be shared.
Healthcare organizations must make sure that they are investing wisely in strong data security measures. In fact, the 2017 Thales Data Threat Report found that 73% of organizations in numerous industries increased IT security spending for 2017. This is an increase from the 58% reported in 2016. The survey interviewed 1,100 senior IT security executives in several industries, including education, engineering, healthcare, and the federal government. The top driver for IT spending was found to be compliance and data security threats. The researchers found that most organizations have started investing in new technologies for data storage, transfer, and processing. When sharing medical records for purposes such as medical peer review or medical chart review, data encryption can be used to protect valuable data and intellectual property. This is especially beneficial in the healthcare industry, making it more challenging for unauthorized parties to access sensitive data such as patient PHI.