Passwords Aren’t Protecting EMR Data

Many healthcare systems rely on user IDs and passwords to control access to electronic medical records (EMR). These safeguards can help protect sensitive patient data.

Unfortunately, many healthcare workers share passwords. In one study, 73% of healthcare workers reported obtaining another staff member’s login credentials. Respondents estimated that this security breach occurred 4-5 times. Most commonly, credential sharing occurred among junior staff members. Every resident who participated in the study had obtained login credentials from another staff member, while just over half of nurses reported the same.

The study found password sharing occurred most commonly when staff needed authorization for their day-to-day tasks. Many reported their login credentials did not provide adequate user privileges to fulfill their duties. They also reported delays during new employee onboarding led to password sharing. Other studies corroborate the findings, adding that employees often leave applications open or work together on one computer, which can lead to security breaches.

Health and Human Services suggests institutions craft strict password policies and complexity requirements. Institutions can also set user privileges that align with clinical workflow. Such technical approaches are essential for any modern compliance program. User education can also help address social and cultural factors that lead to password sharing. Compliance programs should include password policies, but the data suggest these are only one element of protecting EMRs.