How we used behavioral analytics to detect password sharing in electronic medical records
Recently, Health Informatics Research published a study that revealed 73.6% of surveyed physicians and clinical support staff shared their passwords with other members of the care team. It’s a concerning trend: the act of sharing passwords with others undermines the overall security of any system.
Think about it this way: What’s the point of having an access log if it doesn’t correctly reflect who’s actually accessing health data?
In other industries, access to sensitive information can be easily managed through role-based permissions. Consider lending, for example: when you buy a house, you might interact with a realtor, the sellers, an inspector, a lawyer, a title officer, and a bank or other lender. Yet only the loan officer has access to your most sensitive personal data like your Social Security number, work history, and bank account information.
Health data is different because every role inside the hospital needs full access to a medical record in order to provide the best care. Doctors, nurses, but also medical students, researchers, lab technicians, dieticians, and billing specialists all need access to a patient’s full medical record to do their jobs.
It’s this need, directly at odds with healthcare organizations that attempt to control access based on role alone, that drives credential sharing.
Healthcare demands a different solution. The report’s recommendation, that “each EHR role should get an additional option that grants full privileges for one action,” won’t solve this problem in complex, dispersed care teams and omits the possibilities that artificial intelligence offers care teams today.
Here’s the thing: As each doctor, nurse or administrator uses an electronic medical record, they leave a unique, multidimensional digital fingerprint inside the system. This is how the Protenus platform excels at catching and stopping credential sharing in its tracks: We use artificial intelligence to deeply understand clinical workflows, and by continuously monitoring how an individual behaves over time, our analytics are capable of identifying when a user’s behavior suddenly changes.
The first time our analytics detected this change in behavior, back when we first started our company, we weren’t sure what to make of it. It turns out, it wasn’t a change in behavior: It was a change in users. Apparently, a doctor had shared their password with a student who was shadowing them for a day, and the platform elevated the access for human review. Over time, we’ve used machine learning techniques to refine this into a key feature inside our platform.
A tool like Protenus, which monitors all app-layer accesses and accurately detects credential sharing, will help you build an access system that works for your hospital, rather than relying on an imperfect role-based system that may interfere with patient care. Instead, you’ll be able to address the root of the security problem by detecting and making on-the-spot corrections in team member behavior — ultimately reducing overall risk.
