EMR Passwords

I don't understand how anyone would have someone else's password unless that person gave it to them. Everywhere I've ever worked, even IT doesn't know what your password is.  Unless the default password that was given to you the first time you log into the system was never changed? 

Advocatenursemama said:

I found out that my Director of Nursing  has a spreadsheet of usernames and passwords of all the licensed nurses and home health aides at our company, I believe they are using these to complete incomplete charting, specifically from HHA's.

[...]

How did you find out about this spreadsheet?  And what led you to believe they are completing documentation they deem incomplete?

Advocatenursemama said:

[...]

My first question is, Is there any circumstance in which anybody should have someone else's electronic medical record password?  I believe nobody should have my username and password, there is no reason to have it. 

[...]

Your IT department likely has access to your user name.  Regarding access to your password however, I agree with you and can't think of any reason that anyone should have access to your password.  

If your Director of Nursing (DON) believes that the charting needs to be modified or further completed, he or she should approache the individual that originally complete  the documentation and  discuss the deficient documentation with them.  If the DON thinks the he or she needs to complete the documentation he or she should do it under their login ID.  If they do so under your login ID it appears that you completed the documentation, and in my lay opinion this would be minimally false documentation and potentially insurance fraud.

Advocatenursemama said:

[...]

My second question is, if my company does have a list of nurses' password and is using it to alter/complete other nurses' charting, what would be the proper way for someone to report that? 

[...]

First, if you haven't changed your password you need to do so now.  As to what to do; this depends on how certain you are that your DON has everyone's passwords.  If you have your own personal Liability Insurance I agree with @dianah, contact them regarding consulting an attorney.  If not, and you believe that your evidence is accurate, you might consider contacting your state Attorney General's office frauds division.

Best wishes 

Is it possible to confirm that this is really happening? 

I would ask a "just curious" question as to why I have not been prompted to change my password.

I would also change my password and see it that creates a stir.

This should be addressed, but my suggestion is to confirm that this is a regular practice.

Wuzzie said:

I would literally change it daily just to make them insane. ?

If ISD has access to individual passwords this would be unusual.  At least in my experience as I've never worked anyplace where ISD had access to individual passwords.

As a former Cybersecurity consultant, I can tell you this is completely unacceptable, and probably a violation of several privacy laws. Passwords should be encrypted and stored encrypted, and if they're not - your IT department is falling down on the job. All it takes is one nurse with a hacked machine and that spreadsheet on it to cause chaos. All of those usernames and passwords will be sitting on the darknet, waiting for someone to hack them. Can you imagine the damage - reputational, patient care etc. that would be done if your EMR system was sitting on a hackers website?  if they can get into your system EMR (and they can with those passwords and usernames), the HIPAA violations alone that could occur....smh.... The damage that can be done with that sensitive data leaked is incredible. They will be able to place ransomware on any machine. If diagnoses are leaked, they will be able to blackmail people with their diagnosis, or make them public!  The average cost for a facility that has a data breach is $4.1 million in 2022. Companies go out of business with just the cost of trying to remediate the problem. I hope your facility has super good cyber security insurance coverage. Problem is they will refuse to honor a claim if your your facility didn't follow best security practices in the first place

Healthcare, security, which was actually my specialty -is atrocious. Talk to someone today. This is so dangerous. It may seem like no big deal. Trust me I have come into hospitals and clinics where data has been breached and it is catastrophic.

use a password generator to generate a very difficult password and use it to change your ASAP

sleepwalker said:

use a password generator to generate a very difficult password and use it to change your ASAP

Using a complex password will not protect you in this situation. A password has to be encrypted to be secure - both when it is traversing a network and when it is "at rest" in a database. It doesn't matter if it is "12345" or a super-complex, password-generated 100-character password.

Hackers are not guessing or using  "brute force" programs to guess at passwords any more - complex or not. It is far easier (and time and cost-effective) for them to simply social engineer an employee, drop a keystroke logger on a machine from a drive-by web attack, or find out what EMR software the hospital is running and look for vulnerabilities to exploit.

Once in the system, they will simply look around for spreadsheets or anything unencrypted that "looks interesting". They will download it - and away they go.

A complex password is not a big protection anymore - and especially in a scenario like this. The passwords need to be stored securely on a secure database or other flat file system. It doesn't matter how complex it is if it is stored insecurely at the end of the day.

chare said:

If ISD has access to individual passwords this would be unusual.  At least in my experience as I've never worked anyplace where ISD had access to individual passwords.

It's a malicious insider's dream though. All it takes is a disgruntled employee to be offered cash or "revenge" on their employer to hand over that sort of information to a hacker who would pay dearly for it. While a credit card number is worth on 50 cents on the dark web - a healthcare record is infinitely more valuable - in the range of $8-10. The big reason for that is that while credit card numbers can be changed, healthcare records are immutable. They don't change. They have a life-expectancy of - forever.

That is why they are such big targets - and why healthcare institutions should take security seriously. But - like many things in healthcare - it often isn't a problem until - it is...and the damage is done.

chare said:

If ISD has access to individual passwords this would be unusual.  At least in my experience as I've never worked anyplace where ISD had access to individual passwords.

Our IT will reset a password to eg "welcome1' however when its entered into the system it prompts the user to change the password

OP change your password and make sure you change it regularly.