[BreachExchange] Are Doctors the Weak Link in Terms of Medical Security?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 30 19:30:32 EDT 2017


http://adigaskell.org/2017/10/27/are-doctors-the-weak-link-
in-terms-of-medical-security/

Earlier this year I wrote about a study highlighting the slow pace of the
rollout of digital patient records in the UK health system.  The analysis,
which is believed to be the first of its kind, examines the progress made
in transferring patient records to digital, and shows a complex picture
best by poor understanding of IT implementation and an underestimation on
the kind of changes digitization would bring.

A second study suggests that a major part of the problem might be
physicians themselves.  It reveals that many doctors regard maintaining
electronic health records (EHRs) a chore that undermines their relationship
with patients.

Not only are doctors not especially strong cheerleaders for the
digitization of patient records, they also display poor habits when they do
utilize them.  That’s the finding of a third study, by researchers at
Ben-Gurion University of the Negev.

The study finds that the regulations around data security in healthcare
often make it prohibitively difficult to get the information needed in a
timely manner.  As a result of this, many medical staff use passwords that
are shared with colleagues.

How doctors access medical records

The study is believed to be the first to examine in depth just how medical
records are accessed by doctors and other medical staff.  The results were
rather worrying.

For instance, nearly 75% of participants revealed that they had used a
colleague’s password to access an EHR at work, with over half having done
this at least 4 times.  What’s more, every single participant revealed that
they had obtained a colleague’s password (with their consent), with the
vast majority also logging on using someone else’s details on account of
them not having an account yet.

This was also common when their account didn’t have the right permissions
to do their job properly, but it was much less common the further down the
medical hierarchy you go, with nurses much less likely to engage in such
practices than doctors.

“The strength of an information security system is determined by the
strength of its weakest link,” the researchers say. “Even a single breach
may render an information system ineffective.”

Cybersecurity in healthcare

There have been a number of high profile breeches earlier this year in the
industry. I wrote earlier this year about a study from Michigan State
University, which found around 1,800 large data breaches in patient
information over a seven-year period in the United States alone.

“Our findings underscore the critical need for increased data protection in
the health care industry,” the authors say. “While the law requires health
care professionals and systems to cross-share patient data, the more people
who can access data, the less secure it is.”

The Israeli team offer a number of suggestions for how security can be
improved.  For instance, a good first step would be to make it easier to
attain access credentials, which would reduce the need for doctors to share
login details.

They also suggest that hospitals, especially during times of staffing
pressure, may delegate administrative tasks to para-medical, junior staff
and students.  Even nurses are more likely to have the kind of access
permissions required.  A better understanding of the IT requirements of the
entire medical team, and subsequently broader access privileges can lead to
less password sharing and therefore greater security levels.

Last, but not least, the team recommend adding the capability to provide
maximum privileges to each user role in the EHR for a single use only.
Whenever such an option is invoked, both the IT security team and senior
physician would be notified.  This would allow junior staff to make those
urgent requests without having to sneak around under someone else’s
password.

Of course, it’s worth noting that another recently published paper suggests
that full IT security in healthcare may well be an impossible dream.

“There are things we can do to reduce the risk but it is very hard to
perfect IT security, especially given the needs of modern hospital systems
to have things moving between places and increasing demand for
patient-facing access,” the authors say. “To some extent, these attacks are
inevitable.”

Nevertheless, the less sharing of passwords is undertaken, the more secure
hospital IT systems will surely be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171030/d3f6fde0/attachment.html>


More information about the BreachExchange mailing list