How Does Unique User ID Protect Patient Information In Your Practice?

When I consult with healthcare practices for their privacy impact assessment, I often see that the practice has moved to a cloud hosted electronic medical record provider. Using your vendor’s security skills can help you to minimize the risk of security incident with your EMR.

However, you must continue to maintain good security practices on your local computers and remote mobile devices. Here’s why.

In the last article training, you prepared to respond to patients who request to record their appointment with you. You can catch that here.

Why You Need Unique User ID In Your Healthcare Practice

When you’re setting up computer systems for your healthcare practice, start by ensuring that every user has a unique user identity (user ID).

Sharing login credentials for everyone on your team can lead to compromised account security, which makes you more vulnerable to phishing attempts, and leads to a greater risk of sensitive information getting into the wrong hands.

Today we’re going to look at why you need to ensure everyone on your team who requires access to IT systems has their own unique user ID and login credentials.

What is User ID?

The user ID or username that you create when you are granted access to a computer network or software application should be unique to the user (not shared). The user ID is persistent — that is, it doesn’t change.

While a user ID needn’t be as complex as a password, you want to avoid an easily guessed or spoofed name. Instead, create a user ID that is reasonably short and uses a mix of letters and numbers and special characters. The system should not allow duplicate user ID’s and may have additional criteria about what the name can include.

Sometimes, the user ID appears linked to the content that you enter. For example, the username might be associated with a clinic note you enter in the electronic medical record, internal messaging, or even a blog post.

You can think of the user ID as your digital signature that uniquely identifies the computer user.

You may also have certain programs or additional software, applications, and data, including sensitive information, personally identifying information (PII), and personal health information (PHI) which require an additional unique user ID and password.

Don’t Share Your Unique User ID!

Individuals are responsible for their unique user ID. A user ID is important to provide non-reputability for the user. It ensures that the user cannot deny having taken a particular action.

For example, in an office computer, a user ID would be used to login to the system. Once the user is logged in, they can view their personal folders, shared folders, access to printers, and so on. If the user were to deny accessing and printing a particular file, the user ID would prove that they had indeed accessed and printed the file.

Layers of Protection Is Better

A two-step process that requires the user to enter their unique user ID to access a computer or device, and another unique user ID to access a program like an EMR, is an example of a dual login. This added level of security ensures that an authorized user has access to both the local device and the software.

Multi-factor authentication (MFA) is a better level of security. Again, this starts with entering a unique user ID on the device, a different unique user ID to access specific software, and a token or code that is sent to the user. The user must enter the code into the software prior to access granted. The goal of this authentication intent is to make it more difficult to access devices or applications without the subject’s knowledge, such as by malware on the endpoint.

MFA is a core component of a strong identity and access management (IAM) policy. It all starts with having a unique username, password, and an additional verification factor, which decreases the likelihood of a successful cyber attack.

79% of organizations have experienced an identity-related security breach in the last two years [Identity Defined Security Alliance] and 61% of all breaches resulted from stolen credentials, whether through social engineering or brute force attacks. [Verizon Data Breach Investigations Report].

Why You Need Unique User ID In Your Healthcare Practice

Benefits of enforcing unique user ID for every user include:

• Tracking user activity and manage overall operations on a particular system, network or application.
• Improved security, decreased likelihood of inappropriate access, reduced errors, reduced malicious actions internal and external to the business.
• Avoidance of fines and sanctions, under privacy legislation.

My EMR / EDR Has Unique User ID. Isn’t That Good Enough?

Many healthcare practices have not yet implemented a unique user ID policy. Instead, they rely on the electronic medical record (EMR), electronic dental record (EDR) or other practice management software (PMS) system to require unique user ID to access this sensitive data.

This simply isn’t good enough. Locking the back door while the front door is unlocked is not a sufficient deterrent to prevent unauthorized access to your systems and the information that it contains.

I’m certain that there are other sections in your computer files where sensitive information (employee, business, and/or patient information) is maintained. This needs to be protected by identity management and audit tracking, too.

The extra layer of protection of having unique user ID to access your computer system AND another unique user ID to access your EMR / EDR is a reasonable safeguard. Alberta Netcare, NIST, and privacy regulations recommend this minimum standard.

In IBM’s Cost of Data Breach Report 2021, compromised credentials were responsible for 20% of breaches.

Having shared user accounts (instead of unique user ID) increases the likelihood that the user credentials will be compromised and may result in a privacy and security incident.

The IBM report also identified that a zero trust approach helped reduce both the likelihood and the cost of a privacy and security breach. Zero trust means that everyone accessing electronic data must use strong authentication and authorization at all times. In short, don’t assume that because the user is accessing a computer at a specific location, that the user is authorized to access the computer.

Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

Make It Easy To Implement Unique User ID Policy

Businesses should use business-grade computer hardware and software for their computer networks and mobile devices. Select operating systems that make it easy to create and manage user accounts. Ensure that user activity audit logging is enabled.

You might be ‘pretty good’ at managing a computer. However, I recommend that healthcare providers, clinic managers, and business owners contact a local computer network technician or managed service provider to help you properly set up user management. Protect your patient’s information and your practice with good computer user management.

Thank you for subscribing to my content. I share content about keeping your healthcare practice privacy compliant and efficient. Click the ‘Follow’ and ‘Subscribe’ buttons!

Show your support by clapping this article and sharing!

Originally published at https://InformationManagers.ca