GT and ZR are the two main new-patient schedulers for a busy medical practice. There are many shared tasks in their jobs. It is convenient for them to check each other’s electronic health record (EHR) office messages. To enable this, they have given one another their personal passwords on the system. This seemed to work well—until a problem arose. It was found that a user of GT’s password had accessed a patient chart for personal reasons. Someone who used GT’s password was looking through the chart of the office administrator’s spouse. GT was confronted and this activity was denied. During the investigation, it was uncovered that ZR also had GT’s password. ZR was confronted and found to be the one assessing charts for nonwork-related reasons.
Diagnosis:
- Lack of password security
Recommendations:
- Never share passwords
- Ask staff about why or if they ever feel a need to share their passwords
- Schedule frequent password changes; automate these whenever possible
- Require cybersecurity training that includes the importance of passwords security
- Review our Cybersecurity Guide and Protect Your Passwords Infographic
To learn more about Cybersecurity and Using Health Care IT, join us on Facebook, Twitter, and LinkedIn.
Cybersecurity Guide Available to Members of Smart Business Great Medicine
