Data breaches and ransomware attacks are among some of the top challenges that healthcare organizations face today. These issues can lead to extensive damage affecting entire organizations. Whether it is the breach of a patient’s privacy or the disruption of operations across an entire system, just one negative event has the potential to destroy a hospital’s reputation.
Consequently, the protection of personal health information (PHI) has been a major concern for government and healthcare organizations worldwide. To prevent data breach, unique user IDs and passwords are often required of medical staff. However, according to a study published in Healthcare Informatics Research, the use of passwords is sometimes ineffective because staff members share their passwords with one another. In fact, nearly three out of four medical professionals (73%) said they had used another staff member’s password to access an electronic medical record (EMR). (1)
Among those surveyed, more than half said they used another staff member’s password because they were never given a user account. Another reason was that staff had insufficient access capabilities to fulfill their duties. Nurses were less likely to use someone else’s password because they typically had the privileges needed to perform their job functions. Regardless the reasoning, with or without consent, sharing passwords is a security risk. (1)
HIPAA requires healthcare organizations to implement security policies for medical staff and specify access privileges to authenticate the identity of each person using electronic medical records. Using strong, difficult to guess passwords is one way to protect against cyber-attacks. (2)
Researchers offered these suggestions for healthcare organizations:
- Make attaining access credentials for staff less time-consuming and difficult.
- Provide EMR access to para-medicals, junior staff members, interns and students in understaffed hospitals, especially during on-call hours.
- Allow maximum privileges for one-time use only, so administrative staff can access records in urgent situations. (2)
- Obtain a stronger understanding for the types of EMR access privileges each person needs for their jobs.
Although, healthcare organizations cannot guarantee a data breach will never happen, implementing the necessary safeguards can help reduce the possibility of a security issue.