Are Doctors The Weak Link In Terms Of Medical Security?

Earlier this year I wrote about a study highlighting the slow pace of the rollout of digital patient records in the UK health system.  The analysis, which is believed to be the first of its kind, examines the progress made in transferring patient records to digital, and shows a complex picture best by poor understanding of IT implementation and an underestimation on the kind of changes digitization would bring.

A second study suggests that a major part of the problem might be physicians themselves.  It reveals that many doctors regard maintaining electronic health records (EHRs) a chore that undermines their relationship with patients.

Not only are doctors not especially strong cheerleaders for the digitization of patient records, they also display poor habits when they do utilize them.  That’s the finding of a third study, by researchers at Ben-Gurion University of the Negev.

The study finds that the regulations around data security in healthcare often make it prohibitively difficult to get the information needed in a timely manner.  As a result of this, many medical staff use passwords that are shared with colleagues.

How doctors access medical records

The study is believed to be the first to examine in depth just how medical records are accessed by doctors and other medical staff.  The results were rather worrying.

For instance, nearly 75% of participants revealed that they had used a colleague’s password to access an EHR at work, with over half having done this at least 4 times.  What’s more, every single participant revealed that they had obtained a colleague’s password (with their consent), with the vast majority also logging on using someone else’s details on account of them not having an account yet.

This was also common when their account didn’t have the right permissions to do their job properly, but it was much less common the further down the medical hierarchy you go, with nurses much less likely to engage in such practices than doctors.

“The strength of an information security system is determined by the strength of its weakest link,” the researchers say. “Even a single breach may render an information system ineffective.”

Cybersecurity in healthcare

There have been a number of high profile breeches earlier this year in the industry. I wrote earlier this year about a study from Michigan State University, which found around 1,800 large data breaches in patient information over a seven-year period in the United States alone.

“Our findings underscore the critical need for increased data protection in the health care industry,” the authors say. “While the law requires health care professionals and systems to cross-share patient data, the more people who can access data, the less secure it is.”

The Israeli team offer a number of suggestions for how security can be improved.  For instance, a good first step would be to make it easier to attain access credentials, which would reduce the need for doctors to share login details.

They also suggest that hospitals, especially during times of staffing pressure, may delegate administrative tasks to para-medical, junior staff and students.  Even nurses are more likely to have the kind of access permissions required.  A better understanding of the IT requirements of the entire medical team, and subsequently broader access privileges can lead to less password sharing and therefore greater security levels.

Last, but not least, the team recommend adding the capability to provide maximum privileges to each user role in the EHR for a single use only.  Whenever such an option is invoked, both the IT security team and senior physician would be notified.  This would allow junior staff to make those urgent requests without having to sneak around under someone else’s password.

Of course, it’s worth noting that another recently published paper suggests that full IT security in healthcare may well be an impossible dream.

“There are things we can do to reduce the risk but it is very hard to perfect IT security, especially given the needs of modern hospital systems to have things moving between places and increasing demand for patient-facing access,” the authors say. “To some extent, these attacks are inevitable.”

Nevertheless, the less sharing of passwords is undertaken, the more secure hospital IT systems will surely be.