End Notes
Computer Insecurity
The dog’s name, your son’s birthdate? The dog’s birthdate, your son’s name? Will forgotten passwords be the bane of the EMR?
By Michael Aylward, M.D.
Picture this: A burly security guard hulks over the entrance to your exam room. You walk up to the gruff and unpleasant guard and perform an intricate six-step handshake while greeting him with a nonsensical mix of children’s names, dogs’ names, and birthdates. Unfortunately you get one part of the handshake wrong and have to start over. This time, you get the whole maneuver and the secret combination of words and numbers correct. Moments later, the guard steps aside and lets you through. You see your patient, diagnose a UTI, and follow her out the door. Your next patient is in a neighboring room, where another security guard stands—an identical twin of the first one. Repeat.
Of course this scenario is ridiculous. It could never happen. Yet every day, my colleagues and I go through this interaction with our clinic’s electronic medical record (EMR) login system. Every EMR has a login mechanism to preserve patient privacy. The systems vary as to the stringency of the password requirements—from length (for example, six to eight characters) to complex combinations of specific character types that limit the repetition of certain sequences (for instance, a character can only be repeated twice). The EMR my clinic uses is not a stand-alone system. We need separate user names and passwords to log into the workstation, the inpatient system, the radiology system, the echocardiography system, and the inpatient pharmacy system. To use it, I have to keep track of five user name and password combinations that change at different intervals. I am a technophile and have some understanding of computer security issues, yet I have a hard time remembering which combination of family names, birth dates, and meaningless symbols is the password of the moment.
There is evidence that increasing password complexity actually diminishes information security. That’s because users, frustrated with having to keep track of so many passwords, will circumvent the protections by writing their passwords down, reusing the same ones, or making their passwords very simple. My favorite example of the latter is a physician who used the letters “Q” and “W” (the first two letters on most keyboards) repeated three times as a password.
Then there’s the wasted time. When things are going smoothly, the amount of time needed to log in and log out per patient is fairly minimal—on the order of 15 to 30 seconds for both. This can translate into 5 to 10 minutes of time each day spent logging in to and out of the system. In my clinic, things rarely go so smoothly. The day that I wrote this essay, I entered my password, interviewed a patient who came in with a rash, diagnosed it as eczema, talked about the patient’s asthma, and made some suggestions about how to avoid allergens. I was finishing up the visit by the time the patient’s chart finally appeared on the screen. I then had to log out, which involved about a minute of clicking on a series of small icons on the dimly lit recesses of the screen. Since I type my history of present illness while talking to the patient, I had to spend another few minutes at the end of the day entering my notes into the patient’s chart.
The next day I dug up a poorly documented keyboard shortcut that allows me to log out with only two keystrokes and a mouse click. Just to be clear, I am the type of person who gets excited about discovering poorly documented keyboard shortcuts. Nevertheless, I still manage to lock myself out of patients’ charts several times a day by logging off in the wrong way, making the note I was typing on one computer inaccessible from any other computer.
I often wonder what we are protecting. The EMR could be left open to the patient’s medical record once she is in the room. Since the medical record belongs to her, she should be able to peruse it while waiting for the physician. Since she does not have an electronic signature, she can’t make any changes to the EMR. If she tries to open another patient’s chart, she will find herself locked out. Problem solved.
One day, EMRs may offer a more user-friendly and rational login system. Until then, I will keep my passwords safely on my password-protected PDA. I find entering a password to get a password somewhat ironic, especially when the two are the same. MM
Michael Aylward is an assistant professor of medicine at the University of Minnesota.