effective authentication for acute healthcare: acute ... · 1.1. information security in healthcare...
TRANSCRIPT
Effective Authentication for Acute Healthcare: Acute Healthcare Professionals’ Experiences of Working with Current Methods of Authentication in Computer Systems Author: Gustaf Claesson
Master's Programme in Health Informatics
Spring Semester 2015
Degree thesis, 30 Credits
Author: Gustaf Claesson
Main supervisor: Professor, Sabine Koch, Health Informatics Centre,
Karolinska Institute
Co-supervisor: Senior Analyst, Tom Andersson, Information Security
Governance Section, Swedish Civil Contingencies Agency
Examiner: Senior Researcher, Maria Hägglund, Health Informatics Centre,
Karolinska Institute
2
Master's Programme in Health Informatics
Spring Semester 2015
Degree thesis, 30 Credits
Affirmation I hereby affirm that this Master thesis was composed by myself, that the work
contained herein is my own except where explicitly stated otherwise in the text.
This work has not been submitted for any other degree or professional
qualification except as specified; nor has it been published.
Stockholm, 2015-05-26
__________________________________________________________
Gustaf Claesson
3
Master's Programme in Health Informatics Spring Semester 2015
Degree thesis, 30 Credits
Effective Authentication for Acute Healthcare: Acute Healthcare Professionals’ Experiences of Working with Current Methods of Authentication in Computer Systems Author: Gustaf Claesson
Abstract
Background: Good information security practice is an important part of
healthcare today. Several previous studies indicate that there are problems in how
authentication and access control methods are used by healthcare professionals.
Objective: The objectives of the thesis were to describe how authentication
methods are used in acute healthcare, what problems the participants’ experience
with authentication methods, and to describe the healthcare professional’s opinions
about these topics.
Methods: Data collection was conducted using a questionnaire with multiple
choice and free text answers. Most of the questions dealt with information
security practices; for example password sharing, or using colleagues’ accounts
for accessing information. The questionnaire was distributed to managers of 50
different acute clinics in Sweden. The managers were asked to forward it to
physicians, nurses and assistant nurses working in acute health care. A total of 89
participants answered the survey.
Results: Fifty-eight percent of participants experienced problems with
authentication methods. About half of them had good knowledge of security
policy and many saw problems on multiple levels with the way they use
authentication in IT-systems. Fifty-eight percent of the participants claimed that
they need to use their colleagues’ accounts to access information on a regular
basis. Significant differences were seen between physicians and nurses.
Conclusion: There are problems with the way authentication is implemented in
acute health care. The identity logged is not always the identity of the person
performing an action in the system. Further research is needed in order to find
solutions that are appropriate for the environment.
Keywords: Computer Security, Authentication, Information Security,
Healthcare, Compliance
4
Table of contents Glossary ................................................................................................................... 5
List of figures .......................................................................................................... 6 List of tables ............................................................................................................ 7 1. Introduction ...................................................................................................... 8
1.1. Information security in healthcare ............................................................ 8
1.2. Authentication methods used in healthcare ............................................ 10 1.3. Security policies ...................................................................................... 11 1.4. Theories from behavioral information security research ........................ 11
1.5. Information security in collaborative and stressful environments .......... 12 1.6. The quality perspective on security mechanisms ................................... 13 1.7. The socio-technical approach ................................................................. 13 1.8. The need for socio-technical analysis of security mechanisms .............. 16
1.9. Aim of the thesis ..................................................................................... 17 1.10. Objectives of the thesis ....................................................................... 17 1.11. Research questions .............................................................................. 17
2. Method ........................................................................................................... 18 2.1. Study design............................................................................................ 18
2.2. Structured interviews .............................................................................. 19 2.3. Questionnaire .......................................................................................... 21
2.4. Participants ............................................................................................. 22 2.5. Population ............................................................................................... 23
2.6. Data analysis ........................................................................................... 24 2.7. Ethical considerations ............................................................................. 25
3. Results ............................................................................................................ 26
3.1. Description of the participants ................................................................ 26 3.2. The research questions ............................................................................ 28
3.3. Summary of results ................................................................................. 41 4. Discussion ...................................................................................................... 43
4.1. The research questions ............................................................................ 43
4.2. The results in comparison to previous studies ........................................ 46 4.3. The method ............................................................................................. 47 4.4. The participants ...................................................................................... 48 4.5. Implications of the results ....................................................................... 49
4.6. Suggestions for future work on the topic ................................................ 50 5. Conclusion ..................................................................................................... 51 6. References ...................................................................................................... 52 7. Appendices ..................................................................................................... 55
Appendix A Letter to the participants ............................................................... 56
Appendix B Letter to the managers ................................................................... 57 Appendix C Follow up letter to the managers .................................................. 58 Appendix D Survey introduction page .............................................................. 59
Appendix E The survey results ......................................................................... 60
5
Glossary The definitions of many of the following terms are taken from the NIST
publication NISTIR 7298 Revision 2 Glossary of Key Information Security Terms
by Richard Kissel.
Access control – The process of granting or denying access to information or objects
holding information
Authentication – Verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in an information system
Authorization – Access privileges granted to a user, program, or process or the act of
granting those privileges.
Availability – Ensuring timely and reliable access to and use of information
CIA – The Confidentiality Integrity Availability model for analyzing information security
Confidentiality – Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary information
Credential – An object or data structure that authoritatively binds an identity (and
optionally, additional attributes) to a token possessed and controlled by a Subscriber.
EMR – Electronic Medical Record
HCP – Health Care Professional
HI – Health Informatics
Integrity – Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity.
SITHS-card – Nationally standardized ID card for physical and electronic identification of
employees in healthcare.
6
List of figures FIGURE 1. AMOUNT OF PARTICIPANTS THAT HAD BEEN INFORMED ABOUT RULES FOR CREDENTIAL
MANAGEMENT (N=86) ........................................................................................................... 27 FIGURE 2. AMOUNT OF PARTICIPANTS THAT COULD ACCOUNT FOR CREDENTIAL MANAGEMENT
RULES (N=61) ....................................................................................................................... 28 FIGURE 3. THE FREQUENCY OF PARTICIPANTS NEED TO READ INFORMATION USING SOMEONE
ELSE’S ACCOUNT (N=85) ...................................................................................................... 29 FIGURE 4. THE FREQUENCY OF PARTICIPANTS NEED TO READ INFORMATION USING SOMEONE
ELSE’S ACCOUNT DIVIDED INTO GROUPS OF OCCUPATION (N=85) ...................................... 29 FIGURE 5. PARTICIPANTS ESTIMATE OF THEIR COLLEAGUES NEED TO READ INFORMATION USING
THEIR ACCOUNTS (N=82) ...................................................................................................... 30 FIGURE 6. THE FREQUENCY OF PARTICIPANTS NEED TO MAKE NOTES USING SOMEONE ELSE’S
ACCOUNT (N=85) .................................................................................................................. 31 FIGURE 7. PARTICIPANTS’ ESTIMATE OF COLLEAGUES NEED TO MAKE NOTES USING THEIR
ACCOUNTS (N=84) ................................................................................................................ 32 FIGURE 8. AMOUNT OF PARTICIPANTS WHO EXPERIENCE PROBLEMS WITH AUTHENTICATION
METHODS DIVIDED INTO GROUPS OF IT-SKILLS (N=89) ....................................................... 33 FIGURE 9. AMOUNT OF PARTICIPANTS WHO SEE A DANGER IN LETTING SOMEONE ELSE USE THEIR
ACCOUNTS FOR READING IN AN EMR DIVIDED INTO GROUPS OF PROFESSION (N=85) ...... 38 FIGURE 10. AMOUNT OF PARTICIPANTS WHO SEE A DANGER IN LETTING SOMEONE ELSE USE
THEIR ACCOUNTS FOR MAKING NOTES IN AN EMR DIVIDED INTO GROUPS OF PROFESSION
(N=85) ................................................................................................................................... 39
7
List of tables TABLE 1. SEARCHES FOR AUTHENTICATION RELATED ARTICLES IN PUBMED. ............................. 15 TABLE 2. SEARCHES FOR AUTHENTICATION RELATED ARTICLES IN GOOGLE SCHOLAR. ............. 15 TABLE 3. SEARCHES FOR AUTHENTICATION RELATED ARTICLES IN IEEE EXPLORE. ................... 15 TABLE 4. COMPILATION OF SYSTEMS AND THE CORRESPONDING AUTHENTICATION METHODS
USED BY THE PARTICIPANTS IN THE STRUCTURED INTERVIEW. ............................................ 20 TABLE 5. THE TABLE USED FOR THE FISHER'S EXACT TEST FOR HOW OFTEN PHYSICIANS NEED
TO READ INFORMATION USING SOMEONE ELSE'S ACCOUNT COMPARED TO NURSES (N=74)
.............................................................................................................................................. 30 TABLE 6. THE TABLE USED FOR THE FISHER'S EXACT TEST FOR EXPERIENCE OF PROBLEMS AND
LEVEL OF COMPUTER SKILLS (N=89) .................................................................................... 33 TABLE 7. CATEGORIES OF PROBLEMS PARTICIPANTS EXPERIENCED WITH AUTHENTICATION
METHODS (N=49) .................................................................................................................. 34 TABLE 8 CATEGORIES OF REASONS WHY PARTICIPANTS NEED TO READ INFORMATION USING
SOMEONE ELSE’S LOGIN (N=45) ........................................................................................... 35 TABLE 9. CATEGORIES OF REASONS WHY PARTICIPANTS NEED TO MAKE NOTES USING SOMEONE
ELSE’S LOGIN (N=20) ............................................................................................................ 37 TABLE 10. THE TABLE USED FOR FISHER'S EXACT TEST FOR DIFFERENCES IN THE OPINIONS OF
DANGERS WITH HAVING SOMEONE ELSE USE YOUR ACCOUNT TO READ INFORMATION
(N=85) ................................................................................................................................... 38 TABLE 11. CATEGORIES OF THE DANGERS PARTICIPANTS SEE WITH COLLEAGUES USING THE
THEIR ACCOUNTS TO READ INFORMATION (N=62) ............................................................... 40 TABLE 12. CATEGORIES OF THE DANGERS PARTICIPANTS SEE WITH COLLEAGUES USING THE
THEIR ACCOUNTS TO MAKE NOTES IN AN EMR (N=70) ........................................................ 41
8
1. Introduction
1.1. Information security in healthcare
Healthcare is an area where information security practices are of high importance.
The information stored in IT-systems used by health care professionals is by its
nature sensitive, and many times directly connected to the patients by name and/or
identification numbers. Everyone who works in healthcare needs to understand that
patient information must be handled with uttermost care and according to
information security best practice.
However there will be times when compromises between security best practices
and getting the work done must be made – and must be allowed to be made. This is
important for the sake of patient safety. Total security is far from a reasonable goal
in healthcare. The optimal balance most likely lies in ”an equilibrium among
multiple critera, where tradeoffs in security and usability are equally weighted
againts the objectives of the system and the needs of its users” (1) as Heckle et al.
described it.
The Patient Data Act (2) regulates information management in Swedish healthcare.
In this act we read that information management in healthcare should be organized
in a way that cater for patient safety, good quality and cost efficiency. We can also
read that patient information should be managed in a way that maintains the patients
and other registered party’s confidentiality, and that information must be managed
in a way that makes unauthorized access impossible (2).
Another more specific policy document that complements the law is The National
Board of Health and Welfare’s regulations for information management and record
keeping in healthcare (3). This document is more practical in its nature and specifies
required procedures for health care providers in Sweden.
On a practical level these documents inform us that Health Care Professionals
(HCPs) should only have access to the patient data that they need in order to
perform their work. The definition of what they need is that the HCP is having an
active care relation with the patient. Another level of the access control regards
information in medical records produced by other caregivers. In this case access is
allowed if the HCP has the agreement of the patient and if access to information
can be assumed to be of importance for the care of the patient (2).
To continue, it is the obligation of health care managers to grant HCPs individual
permissions for access to patient data; and in order to maintain the patient’s
confidentiality they must be able to log who is accessing what within the systems
9
that they keep (2). Logging is also important since it is the patient’s right to claim
to see the logs and also to lock down the access to their medical records if they
choose to (2).
The legal consequences of unauthorized access to patient data are fines or
imprisonment of up to two years (2).
A well-known model for analyzing information security is the Confidentiality,
Integrity, Availability (CIA) triangle (4). The purpose of this model is to analyze
information security as a state of balance between these three concepts. Is it for
example more important that the information is protected (confidentiality) or that
its state is preserved (integrity) or that it is accessible in a timely fashion
(availability)? The three concepts will in some respects work against each other and
the end result will be a compromise where you strive to find the right balance for
the application at hand. The most obvious conflict is probably the one between
confidentiality and availability. It can in the most exaggerate way be illustrated by
claiming that total confidentiality of data can be obtained by disconnecting a hard
drive putting it in a hole in the ground and pouring concrete in the hole; this will
keep the data confidential but also have a drastically negative effect on availability.
Designing access control in healthcare is difficult because of the sometimes critical
nature of the work, and the fact that timely access to information may be a matter
of life and death. If we were to analyze the situation using the CIA model we would
have a definitive focus on availability rather than on the confidentiality; at least
when it comes to the matter of patient safety. However, patient confidentiality is
also a critical matter here and thus compromises will be made.
The traditional way to manage access to information is based on the assumption
that it can be decided in advance which information a user needs access to; based
on for example a user’s role within a company; this is called Role Based Access
Control (5). If a need for access surfaces the user will probably ask a manager, who
will in turn ask the IT-department, who will grant the user the permission he needs.
However, in healthcare this is many times not sufficient since it could put the patient
safety in danger. We cannot have a situation where a physician needs to access
patient information in an acute situation but is met by a message saying “Access
denied! Contact your system administrator!”.
The solution to this is called Optimistic access control and is described by Lilian
Røstad (6) as “when in doubt – allow” instead of the usual “when in doubt – deny”.
The procedure is now that the user is granted certain privileges but can also choose
to override the access control in order to gain access to information that he or she
deems that there is need for in order to perform the job at hand. The actual
10
overriding mechanism is sometimes referred to as “Break the Glass” (7). The
security of the system is in this case maintained by reviewing access logs rather
than on the usual preventive methods of denying access.
Healthcare managers are as previously mentioned required to perform systematic
recurring access log analysis in order to make sure that no unauthorized access to
patient data occurs. There is also a requirement to have documented routines in
place for how these reviews are to be performed (2, 3).
1.2. Authentication methods used in healthcare
In order to be able to grant a user access to something in a computerized system
you first need to verify who the person in front of the computer is. This is called
authentication.
There are many different methods for authenticating users in IT-systems. The most
common is probably the username and password combination; but there are also
other ones like software certificates, smart cards, biometric methods etc.
The Health Insurance Portability and Accountability Act (HIPAA) which is used in
the US requires that vendors of healthcare information systems implement one of
the following three mechanisms for authenticating users: the user gives the system
something she has, the user gives the system something he knows, the user gives
the system something she is (8). These requirements cover all of the above
mentioned mechanisms since a smartcard or a certificate is something you have, a
password or a PIN is something you know and biometric measurements is
something you are.
In environments where passwords are used, the users are most likely not allowed to
choose a password freely. The system administrator will have implemented a
password policy that dictates and enforces certain demands on the passwords that
users can choose. The idea behind this is to prevent potential attackers from being
able to predict passwords. Common policy criteria for passwords are: length of
password exceeding a certain number of characters, and the presence of at least
three out of the four different character sets (uppercase letters, lowercase letters,
numbers and symbols). Password policies also often dictates how often the
password must be changed and if you are allowed to choose a password that you
have already used in the system.
In environments where smart cards are used, it is common that you also have a PIN
that you need to enter when using your card. This is called two-factor
authentication. You present the authentication mechanism with something you have
11
(the smart card) but also with something that you know (the PIN). This adds a
second layer of security since a potential attacker needs to know more than or be in
possession of more than one thing in order to break into a system (9).
1.3. Security policies
Information security is often governed by written policies. These policies dictate
for example how the users in an organization are supposed to use computers,
manage credentials, and behave when working with systems within the organization
(10, 11). The policies also describe the consequences of violating the policy in
question (10).
Policies may vary in their formality and can range from mathematical preciseness
to more informally written pieces depending on their intended usage. Well written
security policies defines, according to security researcher Matt Bishop (11), what
secure means for a specific system or a set of systems. Typically the kind of security
policies that are distributed to employees when they start a new job will be very
specific to the environment where they are used and adapted to the specific systems
that the user will use. They will of course vary in how detailed they are in describing
what is and what is not allowed; more security sensitive organizations will usually
have more specific and detailed policies (11).
Policies should, again according to Bishop, begin in generic statements and then go
into more detailed dos and don’ts depending on the specific issues that an analysis
of threats for the specific environment results in (11). The idea behind this is that
the person writing the policy should cover as many potential issues as possible but
only have to describe in detail the ones that seem most important.
The purpose of information security policies is of course to define the level of
security within an organization, but also to increase the security of it by making the
employees aware of the rules and the punishments for breaking them.
1.4. Theories from behavioral information security research
There are several theories used within the study of behavior in information security.
One of the most popular ones is deterrence theory, which is based on the idea that
threats of punishment is a good predictor of adherence to good security practice
(12). Another one is the theory of planned behavior, which is based on the link
between attitude, subjective norms, behavior control and the actual performance of
the behavior (13).
12
A recent review of compliance factors for security behavior, however, suggests that
the deterrence theory is rather poor predictor of information security behavior,
while the theory of planned behavior does a fairly good job in this respect. The
conclusion was that emotional and moral factors are more important when it comes
to predicting user adherence to security policy rather than logic and hard facts (10).
In this thesis behavior and information security practice will be analyzed, primarily,
as an interaction between the users and the systems. The purpose is to investigate if
current authentication methods are appropriate for the environment.
1.5. Information security in collaborative and stressful environments
The origins of computer security are found in the military where the implementation
of the “need to know” principle, with its strict focus on confidentiality and on the
individual who is granted access to information, was the first formal work of
information security (4).
Acute healthcare is, in contrast to the military, a place where availability of
information, sharing of information and team work are prominent features of the
work environment. The potentially stressful task of keeping the patient alive
combined with the collaborative environment can be assumed to put special
demands on the systems that are implemented and the way that the HCPs needs to
able to use them.
The following citations are from the article “Undertaking sociotechnical
evaluations of Health Information technologies” by Cresswell and Sheikh and
illustrate this quite nicely (14):
“In all but a few instances managing patients’ trajectories is a collective collaborative enterprise”
“[the environment is] characterized by the constant emergence of contingencies that require ad hoc
and pragmatic responses”
“Things needs to be dealt with on the spot, by whomever happens to be present, and with whatever
resources happen to be at hand”
It seems natural to assume that structural differences on such a basic level could
lead to vastly different demands on the security mechanisms used and that methods
designed and standardized in another environment may not be well suited for acute
healthcare. According to Baxter et al, acute healthcare is one of the most difficult
areas of healthcare to implement IT-systems into (15). In the light of this it seems
important to study authentication in acute healthcare. Studying the topic in other
13
areas of healthcare may also be of importance, but they are likely better suited for
standard methods since they have more in common with other administrative
workplaces in the workflow.
1.6. The quality perspective on security mechanisms
Traditionally information security has been analyzed from a quantitative
perspective. The evaluations have often been focused only on the presence or
absence of the security mechanisms and not on the quality of how they were
implemented, configured or maintained (16).
Investigations of security controls have also usually been separated in the different
perspectives of technical, operational and managerial controls. The need for a more
holistic approach to information security has however been recognized lately (16).
The idea of quality management is to ensure consistent products or consistent
processes within an organization. In order to accomplish this goal all parts of the
work environment and its processes must be subject to quality assurance, planning
and control.
It seems reasonable that a more holistic view on information security, which is
taking into account all the different levels of controls as well as qualitative
perspectives of their implementation will lead to better information security; but in
order to fully understand the state of information security the analysis needs to be
taken even a step further and incorporate the perspective of the users. A system will
only be as secure as the behavior of the users lets it be (17). This is also the
perspective that takes us into the field of health informatics. Analysis of information
security from a health informatics perspective is, in my eyes, not to study
information security mechanisms in general but to study how the systems and
methods implemented affect and are affected by the work processes in the
healthcare domain.
1.7. The socio-technical approach
The relationship between users and the IT-systems they work with has been gaining
increasingly more interest as a field of research lately, both in general IT and in
health care (1, 14, 15, 18, 19). In the literature, this is referred to as the socio-
technical perspective. This way of viewing the interaction can be used to analyze
the effectiveness of the actual systems as well as how implementation of IT-related
regulations in the end affect the quality of care (17).
14
There is research indicating that introduction of technology in healthcare is a
potential risk when it is not implemented with consideration to existing work
processes (14, 15, 19). The developers intended design goal of a technical solution
is not always the same as the result when implemented in an actual environment
(18).
The socio-technical approach (14, 19) suggests that organizational, human and
information technology factors form a system that interacts and shapes each other.
The introduction of an IT system will of course change the behavior of the people
working with it, but the system should also allow changes to be made due to the
work processes of the people. The central idea is to put the user, their work
processes and relationships on the center stage instead of approaching system
design in a top-down technology centered way (18).
The majority of the literature on this topic deals with complex systems and not with
specific mechanisms or methods. Socio-technical analysis seems to be considered
to be best suited for analyzing complex systems (14). However, the question could
be asked if more specific IT mechanisms could also be risk factors when introduced
in a standardized way without specific concern for the work processes in place. It
seems reasonable that this may be the case especially if we consider mechanisms
and methods that are used many times a day. Even though they may be simple and
specific in their purpose, they can still have a huge impact on the user’s work flow.
There are also indications in literature that socio-technical factors are a problem in
implementation of security mechanisms. In a study of implementation of a single
sign-on solutions in health care, it was seen that a mechanism that works fine in
other businesses can actually create security vulnerabilities for the individual user
in healthcare. The researchers considered this to be caused by the application of an
individually oriented mechanism in an environment that is collaborative in its
processes (1).
User workarounds in password policy adherence is something that can definitely be
considered a socio-technical problem. System administrators implement password
policies in order to make the passwords chosen by users more secure, only to see
that the policy also affects the user’s behavior thus making the end result less
secure. Examples of this are: when policy demands make the passwords too
complex to remember and the users write them down, or when it makes them choose
a new password that is basically the same as the old one with for example a number
added at the end (20). The intended design goal is not the end result.
In a review by Appari and Johnson, from 2010, it is suggested that while the
interaction between users and security mechanisms has been dealt with to some
15
extent by mainstream information security research, there has not been much
published regarding the situation in healthcare (17). This review was written a few
years ago but there is not much that indicates that the situation has changed since
then.
The tables below displays the number of hits for a few search strings using terms
related to the area in the databases PubMed (Table 1), Google Scholar (Table 2)
and IEEE Explore (Table 3).
Table 1. Searches for authentication related articles in PubMed.
Search term Hits
Authentication computer user 141
"Security Measures"[Mesh] AND authentication 229
"Security Measures"[Mesh] AND authentication AND attitude 2
"Security Measures"[Mesh] AND computer AND password 67
"Security Measures"[Mesh] AND computer and password and attitude 4
(computer security[MeSH Terms]) AND authentication 193
(computer security[MeSH Terms]) AND authentication AND user 76
attitude to computer[MeSH Terms] AND security 170
attitude to computer[MeSH Terms] AND authentication 2
Table 2. Searches for authentication related articles in Google Scholar.
Search term Hits
allintitle: healthcare authentication 67
allintitle: healthcare password 4
allintitle: healthcare security quality 7
allintitle: healthcare computer security 4
Table 3. Searches for authentication related articles in IEEE Explore.
Search term Hits
Authentication and healthcare 209
Authentication and healthcare and user 74
Healthcare and password 15
Among these published articles very few are directly relevant for the study of user
and security mechanism interaction. Most of them go into technical aspects of
16
authentication methods; and the few ones that are taking the users into account
mostly look at what they do or fail to do, not why.
1.8. The need for socio-technical analysis of security mechanisms
There are indications in literature that health care professionals misuse the
authentication methods used by IT-systems in healthcare.
In a study from Norway, 21 % of the respondents from a hospital setting reported
to often – half of the times or more – document their work in the name of another
person (21).
In an article by Åhfeldt et al, based on field observations of Swedish HCPs
computer use, it is suggested that users are not taking responsability for their use of
authentication and that: ”It seems obvoius that some users do not really understand
why the log-on procedures and authority control systems exists” (22).
A Delphi study from the UK by Deursen et al, with participants from the field of
IT-security in healthcare, identified the most probable scenarios for information
security breaches; here sharing of passwords or other access tokens was considered
one of the most likely incident types (23).
Healthcare is often considered to be an area where it is difficult to implement
computer systems. For different reasons it seems that systems that can be
successfully implemented in other business areas are not suited for this particular
environment; and that specific strategies already in the development phase are
needed to successfully implement them in this environment (15). One being the
active participation of domain users in the development and implementation of
systems (18).
It has also been concluded that security is as much about human processes as it is
about technology (7) and that the incentives for the users will dictate how they
interact with access control and thus the effectiveness of the solution (24).
In the light of this it is necessary to look further into if and how the previously
mentioned indications of misuse of authentication mechanisms are related to the
user’s workflows and also their opinions about authentication methods used today.
The attitudes and opinions of HCP regarding authentication methods should be an
indication of implementational success since it is something that they deal with
many times a day and since many of the HCPs are likely to have opinions about the
way technology puts demands on their work process (15).
17
It also seems reasonable that technical implementations that are disruptive (which
authentication methods inevitebly are) should be studied in the light of their impact
on the people working with them (14).
1.9. Aim of the thesis
The aim of this thesis was to find out if current implementations of authentication
methods in acute healthcare are effective, or if the professionals working in the
domain experience any systematical problems that need to be addressed in the
design and implementation of future systems.
1.10. Objectives of the thesis
The objectives of the thesis were to describe: how authentication methods are
used in acute healthcare, what problems the participants’ experience with
authentication methods, and to describe the healthcare professional’s opinions
about these topics.
1.11. Research questions
RQ1: Are HCPs in the acute healthcare setting using authentication methods as they
are intended to be used?
RQ2: Which are the main problems that the HCPs experience with current
authentication methods?
RQ3: What concerns do HCPs have about the problems they experience with
authentication methods?
18
2. Method
2.1. Study design
This study was designed to be descriptive and analytic. This approach was taken in
order to investigate to which degree acute healthcare professionals experience the
problems that were indicated in previous studies, if there were other problems
present, and finally to see what dangers they could see with these problems.
Socio-technical evaluations are often diverse in their designs utilizing both
qualitative and quantitative methods in order to better investigate and analyze the
interactions of systems and humans (14). During the planning phase it was decided
that this thesis would be based on two phases of data collection. The first being a
small structured interview with the main purpose of exploring the environment in
regard to which IT systems are used and what methods of authentication they use.
The second being an online survey in the form of a questionnaire with the purpose
of collecting as many opinions of authentication methods as possible. The design
of the survey was based on an informal workshop with four information security
experts.
The choice of using a questionnaire for data collection, was due to the benefit of
being able to collect information from as many participants as possible. Adding
further weight to this motive is also the fact that questionnaires are considered
appropriate for “quantitative studies of subjective aspects” (25). There was also the
notion that most previous studies on the topic have been conducted as observations
or qualitative interviews; therefore it was decided that in order to make progress,
the best approach would be to make a quantitative survey. According to a review
of Information Security research from 2014, the most popular method behind
reports in the field has been Subjective-Argumentative research (26).
Since the specific subject of this thesis had not been deeply researched before, a
strictly quantitative approach would have been difficult to put into context for
analysis. In order to compensate for this a few free text questions were included in
the questionnaire. The answers to these questions were analyzed both qualitatively
using content analysis and quantitatively using word frequency analysis.
The choice of a web survey was further motivated by its ability to keep a distance
between the researcher and the participants. We wanted to grant them as much
anonymity as possible, since questions about behavior regarding security practices
could be seen as sensitive and maybe even perceived as blaming. Underreporting
of misbehavior is a problem for surveys in general and needs to be specifically
19
addressed when researching a topic like this (27). A web based questionnaire ought
to be among the best ways to make participants disclose their true opinions in a
survey (28). Even though the anonymity of doing things “behind the computer
screen” can (and should in the case of IT-security related work) be argued, it seems
that many people today experience a sense of anonymity when expressing
themselves on a computer over the Internet (28).
In order to gain and maintain the trust of the participants, a few measures were taken
when configuring the collection system and designing the survey. The collection
system was configured to not register the IP addresses of the computers that the
participants used to register their answers. The survey was also designed to not
collect information with which the participants could be identified. Information
about these privacy measures were given to the managers and to the participants in
the letters used when asking for their participation and in the beginning of the
questionnaire.
The letters can be seen as Appendix A, B and C.
2.2. Structured interviews
In order to build a basic understanding of the topic to be studied, structured
interviews were performed. Four open ended questions were distributed to three
physician from three different disciplines and three different geographic locations
in Sweden. One participant was interviewed in person and two participants
answered the questions by replying to an email they had received. In some cases
follow up questions were asked in order to clarify their responses.
The method of participant selection used in this step was purposive convenience
sampling, all three physicians were previously known by the author and represented
different areas of healthcare. This approach was considered appropriate since the
purpose of these interviews was not to gather statistical information, but simply to
provide information on how authentication is used in healthcare.
The choice of method (conducting structured interviews via e-mail) was also
primarily one of convenience; both for the author who did not have to transcribe
recorded interviews, and for the participants who were able to answer the questions
at their own convenience. However, there were also other benefits of this method
compared to for example face-to-face interviews or phone interviews. Email
interviews seems to make the respondents more focused on the questions at hand,
they are also more likely to disclose the truth in sensitive matters, and they are more
likely to think about their answers on a deeper level before submitting them (28).
There are, of course, also negative effects of choosing email interviews. For
example, it puts a greater demand on the participants’ ability to express themselves
20
in written form, and it makes direct probing of questions impossible (28). Both these
problems were handled by follow up questions in email form for the two
participants that answered the questions in this way.
The main purpose of the interviews was to find out what IT systems the participants
used and which methods of authentication they used in order to login to these
systems. The interviews also included questions about any problems that the
participants experienced with authentication methods and also their self-evaluated
knowledge about routines regarding authentication information in their workplace.
The results of these interviews were used both as discussion material for a workshop
held with four information security experts from MSB and as material when
constructing questions for the web survey.
Table 4 displays the systems and corresponding authentication methods that the
participants of the structured interviews used. Each participant reported to use
between seven and eight different systems and used between two and seven
different credentials for authentication in these systems.
Table 4. Compilation of systems and the corresponding authentication methods used by the participants in the structured interview.
Participant Discipline Systems* Authentication methods
1 Acute health care /
cardiology
Hospital network SITHS-card + PIN(1**)
HSAID + password(2)
Shared account + password(3)
EMR system HSAID + password(4)
X-Ray system HSAID + password(5)
Intranet No log in
EKG system Shared account + password (6)
Regular prescription
system
SITHS-card + PIN(7)
HSAID + password(4)
Special prescriptions
system
SITHS-card + PIN(1)
2 Psychiatry Hospital network Personal username + password(1)
EMR Personal username + password(1)
Medical certificate
system
(Sjukintygssystem)
SITHS-card + PIN(2)
21
Lab and X-ray
ordering system
Integrated to EMR
Prescriptions system SITHS-card + PIN(3)
Intranet No log in
Time report system Personal username + password(1)
EMR for primary care Personal username + password(1)
Booking system Personal username + password(1)
3 Anesthesiology Network Shared username + password
Personal username + password(1)
Siths card + password(2)
EMR system Siths card + password(2)
Personal username + password(3)
Operation planning
system
Siths card + password(2)
Personal username + password(3)
X-ray system Access through EMR
Quality registry
system
Access through EMR
Clinical decision
support system
Access through EMR
Administrative system Personal username + password(3)
E-prescription system SITHS card + password(2)
*The terms used for the type of system is the participants own.
**The number indicates for which of the systems the passwords or PINs are the same.
2.3. Questionnaire
The tool chosen for designing the online survey was Survey Monkey
(www.surveymonkey.com), which is a cloud service for designing questionnaires
and collecting and analyzing survey data. The reason for this choice was that the
collaboration partner at MSB (the Swedish Civil Contingencies Agency) had
experience in the configuration and use of it.
Before construction of the questionnaire began, a workshop was held with
information security experts from MSB. The purpose of this meeting was to find
the best way of approaching question design, using the results of the structured
interviews as a foundation, and to collect best practice suggestions on how to collect
data on a sensitive subject.
22
The questionnaire was designed to be mostly quantitative using multiple choice
questions, but a few questions with free text answers were created in order enable
deeper exploration of the participants’ opinions and their possible diversity (29).
Socio-technical studies are meant to focus on processes (14), therefore the questions
in the questionnaire were designed to be on the topic of the participants opinions
regarding how authentication interacts with their work flows and possible problems
that they may experience.
The questionnaire was designed to start with questions that would put the
participant in the mindset of thinking about authentication by asking about the
specific methods he or she used in the work place and if there were any problems
present with these methods. After this, the questionnaire took the participant into
questions about policies and rules governing the authentication information. Next,
the main part of the questionnaire dealt with questions about what was hypothesized
as the potentially biggest problem in a collaborative environment, the usage of
colleague’s accounts and sharing of credentials. The questionnaire ended with four
demography questions that were included with the purpose of dividing the
participants into groups for analysis and in order to control the representation of
different categories in the sample group. The groupings chosen were: occupation,
age, computer literacy and geographic location.
After the design of questions was completed, a few measures were taken in order
to validate the questionnaire. The questions were discussed on multiple occasions
with both supervisors of the thesis in regard to content, wording and order. Before
the invitation to the survey was distributed, a pilot group of three health care
professionals were asked to fill out the questionnaire and comment on the wording
of questions and any ambiguities they could notice. A more scientific approach to
validation did not seem necessary (25) or possible within the scope of this project.
The questions of the final questionnaire can be seen in translated form in Appendix
E together with a summary of the answers. The questionnaire was distributed to the
participants in Swedish.
2.4. Participants
Participants were recruited by approaching acute healthcare managers in 50
hospitals in Sweden (10 in northern Sweden, 18 in middle Sweden and 22 in
southern Sweden). An email with information about the study, a link to the
questionnaire and a kind request for their approval and help to distribute the link to
at least three but preferably as many as possible of their employees was sent to the
23
managers of the acute clinics at all hospitals included. All communication with the
managers and the participants was done in the name of MSB.
The managers were asked to distribute the survey to physicians, nurses and assistant
nurses. This since these were considered the interesting occupations for this study,
given that their jobs are of the collaborative kind while other professions that may
be present in the acute clinics are likely more administratively focused.
The first invitation resulted in 18 positive answers from managers who wanted to
participate and agreed to send the link to their employees. Two weeks after the
initial invitation was distributed a reminder (Appendix C) was sent to all the
managers that had not yet responded. Two weeks after the reminder was sent the
survey was closed for participation. At this time we had responses from 19
managers and a total of 89 participants.
As can be expected there, was a certain decline in the number of people who
answered the questions from the start to the end. Eighty-two participants answered
the last question.
2.5. Population
The population that the results of this survey intended to describe were employees
in acute healthcare in Sweden in the occupations physicians, nurses and assistant
nurses. At the time of this project there was no database with information about this
group. In order to estimate the population size we reached out to both The National
Board of Health and Welfare and the Swedish Association of Local Authorities and
Regions but neither of these associations had any statistics regarding the size of the
population. The best option was to try and estimate the population size according
to the following calculation.
The Swedish Medical Association (SMA) has 46 500 members, out of which 33 600
are working (the rest are students or retirees). According to the National Board of
Health and Welfare, there were in 2012 close to 42 000 physicians active in Sweden.
This led us to assume that three out of fours physicians are members of the SMA.
The Swedish Society for Emergency Medicine, one of the sub-divisions of SMA
has 250 members. If we assume that the distribution of physicians being members
of the SMA is the same for all specialties, then there should be about 330 active
physicians in acute healthcare. Also according to the National Board of Health and
Welfare there are two specialist nurses for every specialist physician, so we assume
that there are 660 nurses active in acute healthcare. According to the Swedish
Association of Local Authorities and Regions there are five assistant nurses on
every seven nurses, so we then assume that there are 470 assistant nurses. These
24
assumptions gave us an estimated population of around 1500 healthcare
professionals working in acute healthcare in Sweden.
This calculation can be questioned in many ways, particularly since physicians are
not usually employed at the acute clinics but in other clinics under other specialties
and then assigned to work part time in the acute clinic. The specialty of acute
physician is rather new in Sweden and they only account for a part of the
physician’s active at the acute clinics (30). With this in mind, the number 1500 can
be seen as a rough estimation made in order to relate the size of the sample to the
population.
2.6. Data analysis
The answers from the structured interviews were compiled and presented using the
participants own descriptions of the type of systems they used, and which types of
authentication methods were used by these systems.
The answers to the questions about if they were content with the authentication
methods they use and if they could account for the rules governing these were only
used to see if there was any indication of problems regarding authentication
methods and the policies regarding these.
The answers to the online survey were analyzed in a few different ways. First, all
answers to questions with predefined answers were compiled as a group with all
participants. Secondly, they were compiled in groups separated by the three
demographic questions (age, occupation and computer literacy). The results from
this division was used in order to identify differences between the groups.
The answers to the open-ended questions were analyzed using word frequency
analysis with a feature built into the survey system Survey Monkey. One must be
careful when drawing conclusions from word frequency analysis, since the words
occurring the most may not always reflect the concepts of most concern in the
material at hand (31). Also, things like synonyms and the fact that some words may
bear multiple meanings must be considered.
Due to these limitations, the word frequency analysis was used in combination with
another method of content analysis as described by Zhang and Wildenmuth (32).
The steps taken in the content analysis were:
To define the unit of analysis to be “themes”. In the article (32) this is
described as a single word, a phrase, a sentence, a paragraph or an entire
document that has the common property of expressing a delimited idea
25
To develop categories and a coding scheme. The categories were developed
in an inductive manner from the collected data during the coding and added
to a table as they were identified. Since the author of the thesis performed
all the coding no coding manual was developed
Coding of the text. Coding of all the answers was performed on two
different occasions in order to assess the coding consistency
Since the sampling of participants was not random, any statistical tests that were
applied could not formally be used to generalize the results to the population.
Fisher’s Exact Test for Count Data (33) was however applied to a few of the
questions, where seemingly interesting differences were seen between the groups,
with the purpose of summarizing more promising lines of future research.
2.7. Ethical considerations
The collection system Survey Monkey is provided by an American company and
the results are stored on their servers. It was important that no personal information
was collected both due to ethical standards and to regulations governing the work
of MSB.
It was also important to preserve the respondent’s privacy since we asked for
possibly sensitive information regarding their work practices. The data collection
was therefore set up to be anonymous and no personally identifiable information
was collected or disclosed in the report. There was also no information shared
regarding the users in a specific location with the managers at that location. The
survey system was set up in order to not register IP addresses of the respondents.
Since the survey was distributed to the participants via their managers, we made
sure to inform the participants in the letter accompanying the survey that
participation was not mandatory.
26
3. Results
Included in this section of the thesis are the most important results. For a complete
summary of all answers to the multiple choice questions and the results of the word
frequency and content analysis see Appendix E.
3.1. Description of the participants
The last four questions of the questionnaire were demographic questions; these
were included in order to enable evaluation of the representativeness of the sample
since we could not use a random one. The participants were asked how old they
were, in what part of Sweden they were primarily employed, what their profession
was, and asked to rate their computer literacy.
Three other questions in the survey were also included with the purpose of
describing the participants rather than to answer the research questions. These
concerned what authentication methods the participants used and whether or not
they had been given information about rules regarding login information and if they
could account for these rules.
Regarding the age distribution of the participants two percent where 25 years old
or younger, 62% were between 25 and 45 years of age and 35% were above 45
years of age.
The geographic distribution of the participants’ was uneven with 10% of
participants saying that they primarily worked in the northern part of Sweden, 24%
that they worked in middle Sweden and 66% that they worked in southern Sweden.
There were also no physicians from northern Sweden represented in the sample.
The distribution that could be expected from the number of hospitals approached in
the different parts of Sweden was 20% in the northern part, 36% in middle Sweden
and 44% in the southern part.
The survey was intended for three different professions within acute healthcare;
physicians, nurses and assistant nurses. Twenty-four percent of the participants
were physicians, 55% were nurses and 11% were assistant nurses. Ten percent of
the participants answered that they had other occupations.
The other occupations mentioned were IT-manager and nurse, manager, unit
manager, coordinator etc. No participants were excluded since they had been judged
by the managers to be of the targeted professions and could be assumed to be based
in the targeted professions even though they may at the time of the study have had
a different title.
27
The participants were also asked to grade their level of computer literacy according
to four different statements of computer skill. Six percent of the participants
answered that they only used computers at work and never in their spare time, 50%
answered that they used computers at work and that they also used e-services for
personal use, 27% answered that they were able to install software on a computer
that they owned and 17% answered that they had an interest for IT and that they
were able to configure more advanced software.
As described in the background different methods for authentication are used within
healthcare. The participants were asked which methods they use in their workplace.
Eighty-two percent said they use username and password, 23% that they use
HSAID (which is an ID number given to all the employees of certain county
councils in Sweden) and password, and 78% that they use a specific kind of smart
card (SITHS-card) issued to HCPs in municipalities and county councils in Sweden.
The questionnaire contained two questions about the participant’s knowledge about
policies governing the use of authentication, the results can be seen in Figure 1 and
Figure 2. First, they were asked if they had been informed about any rules regarding
how they are supposed to handle their credentials.
Figure 1. Amount of participants that had been informed about rules for credential management (n=86)
In order to follow up on the question about rules the participants who said that
they had been informed were asked if they would be able account for the rules
that they had been informed about.
71%
21%
8%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Yes No I don not know
Have you at any time been given information about rules governing the use of login
information?
28
Figure 2. Amount of participants that could account for credential management rules (n=61)
3.2. The research questions
The remainder of the questions included in the questionnaire were designed to
collect information that could be used to answer the three research questions posed
in the beginning of the thesis. Below, each research question has its own sub-
heading where the results relevant for that particular question are presented.
3.2.1. Are acute healthcare professionals using authentication methods as they are intended to be used?
Six of the questions in the survey were designed to answer the first research
question and the results were as follows.
One of the most important aspects of information security practice relating to
authentication is that you do not share your password with others. The participants
were asked how many of their colleagues that may have known their workplace
login information, and how many of their colleagues’ login information they knew.
Ninety-one percent (n=84) answered that none of their colleagues may know their
credentials; and 88% (n=84) answered that they did not know anyone else’s
information.
Another important aspect of authentication is that you do not let anyone else use
your account to perform work in a system. The participants were therefore asked
how often they faced a need to use someone else’s account in order to read
information in an EMR system.
16%
54%
23%
7%
0%
10%
20%
30%
40%
50%
60%
Yes, completely Yes, mostly Yes, to some extent No
If a new colleague would ask you about the rules, would you be able to account for them?
29
A total of 58% of the participants (n=85) answered that they sometimes need to
view information in a medical record system using someone else’s account. Figure
3 displays the distribution in regards to how often the participants faced this need.
Figure 3. The frequency of participants need to read information using someone else’s account (n=85)
An observation in the results was that physicians seemed a lot more likely to often
face this need than nurses and assistant nurses. Figure 4 shows the distribution in
regard to the different professions.
Figure 4. The frequency of participants need to read information using someone else’s account divided into groups of occupation (n=85)
14%16%
7%
21%
41%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
On daily basis On weekly basis On monthly basis Less often Never
How often is it necessary for you to read information in an EMR using someone else's
account?
25%30%
15%
5%
25%
13% 11%
2%
28%
46%
11%
22%
11%
22%
33%
0%
10%
20%
30%
40%
50%
Daily Sometime everyweek
Sometime everymonth
Less often Never
How often is it necessary for you to read information in an EMR using someone else's
account?
Physician Nurse Assitant Nurse
30
Fisher's Exact Test for Count Data showed a significant association between the
professional role and using accounts of colleagues for reading patient information
(p<0,01). Physicians were more inclined than nurses to use the accounts of others.
Since the sample of assistant nurses was small they were excluded from this test.
The groups tested can be seen in Table 5.
Table 5. The table used for the Fisher's Exact Test for how often physicians need to read information using someone else's account compared to nurses (n=74)
At least monthly
Less frequently or
never Physician 14 6
Nurse 16 38
The participants were also asked how often someone else used their accounts to
read information in an EMR-system.
A total of 67 % participants (n=82) answered that a colleague of theirs sometimes
used their account to view information, and another 10% did not know how often
this happens. So depending on how we interpret the “I do not know” answers, we
may have up to 77% of the participants being subject to someone else using their
accounts to read information. Figure 5 displays how often the participants were
subject to this practice by their colleagues.
Figure 5. Participants estimate of their colleagues need to read information using their accounts (n=82)
13%
21%
13%
20%23%
10%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
On daily basis On weeklybasis
On monthlybasis
Less often Never I do not know
How often does a colleague of yours use your account to read information in an EMR?
31
Reading information in a system and having the action logged in the name of
another user is a concern when the system for access control is based on review of
logs; especially when an important part of the information security philosophy is
confidentiality. Something that makes things even more complicated is if you write
information in a system using someone else’s account; this breaks the traceability
of information entered into the system.
However, the practice of writing information with someone else’s account was less
common. Twenty-eight percent of the participants (n=85) answered that they
sometimes need to input information in a medical record system using someone
else’s credentials. Figure 6 shows the distribution of how often the participants
needed to make notes in an EMR-system using a colleague’s account.
Figure 6. The frequency of participants need to make notes using someone else’s account (n=85)
Thirty-one percent of the participants (n=84) answered that a colleague of theirs
sometimes use their account to input information. However, another 11% of the
participants reported that they did not know how often colleagues used their login
to enter information. The percentage of participants whose accounts are sometimes
used by someone else for writing information could thus possibly be as high as
42%. The complete distribution of the participants can be seen in Figure 7.
0%5%
1%
22%
72%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
On daily basis On weekly basis On monthlybasis
Less often Never
How often is it necessary for you to make notes in an EMR using someone else's account?
32
Figure 7. Participants’ estimate of colleagues need to make notes using their accounts (n=84)
3.2.2. Which are the main problems that the healthcare professionals experience with current authentication methods?
In order to investigate the second research question, the participants were first asked
if they experienced any problems with the authentication methods they used. Fifty-
eight percent of the participants (n=89) answered that they did experience problems
and 42% that they did not.
An observation from the results regarding this question, was that the number of
participants who reported that they experienced problems seemed to raise steadily
with each increasing step of self -reported computer skill, this can be seen in Figure
8.
0%6% 4%
21%
58%
11%
0%
10%
20%
30%
40%
50%
60%
70%
On daily basis On weeklybasis
On monthlybasis
Less often Never I do not know
How often does a colleague of yours use your account to make notes in an EMR?
33
Figure 8. Amount of participants who experience problems with authentication methods divided into groups of IT-skills (n=89)
Fisher's Exact Test for Count Data showed a significant association (p<0,05)
between the level of computer skill and the experience of problems when the
participants were divided into two groups, poor computer skills and good computer
skills. The groups tested can be seen in Table 6. Table 6. The table used for the Fisher's Exact Test for experience of problems and level of computer skills (n=89)
Experienced problems
Did not experience problems
I use IT (computers) at work but never at home & I use IT at work, but also for personal use. I then use computers, smart phones or tables in order to use e-services on line.
17 23
I use IT at work, but also for personal use. I use e-services but can also install software on my own computer & I have an interest for IT and can manage an operating system and configure advanced software.
20 10
0%
49%62%
79%
100%
51%38%
21%
0%10%20%30%40%50%60%70%80%90%
100%
I use IT (computers) atwork but never at home
I use IT at work, but alsofor personal use. I thenuse computers, smart
phones or tables in orderto use e-services on line.
I use IT at work, but alsofor personal use. I use e-
services but can alsoinstall software on my
own computer.
I have an interest for ITand can manage an
operating system andconfigure advanced
software.
Do you experience any problems with the methods you use for logging in?
Yes No
34
In order to understand what specific problems the employees of acute healthcare
may face, when it comes to authentication, everyone who answered that they did
experience problems were asked to state what problems they had experienced. The
word frequency analysis of these free text answers revealed that many of the
participants mentioned cards, passwords and time in their answers. Looking further
into this question, the content analysis generated 10 categories of problems. These
categories are shown in Table 7.
Table 7. Categories of problems participants experienced with authentication methods (n=49)
Category Number of answers
coded with the category
Logging in takes too much time 21
There are too many different credentials to keep track of 14
I forget to take my card out of the computer 9
It is problematic that the card has multiple functions (log
in to computer, open doors, use printer etc.)
8
There is no automatic log off feature 6
There are technical problems with the card readers 6
The passwords expire to often 3
Passwords are easily forgotten 2
The password policy makes me write the password
down
1
The password policy makes me chose weak passwords 1
Many of the participants experienced that logging in, especially when using smart
cards, took too much time and that it was a problem that the cards were also used
for other things than logging in (opening doors, using the printer etc.). Below are
some citations that illustrate these problems further:
”When you use the smart card there is a great risk that you forget it in the computer. And I always
leave it in the computer for the duration of my shift so during long periods my login is open and
unprotected. It is impossible to work if you are to log in and out all the time”
”easy to forget to log out, which leads to writing using others logins”
”It’s cumbersome with the smart cards that have to be in the computer. You get logged out if you
need the card to use the printer”
35
”It’s a hassle with different logins and many different logins to different systems. A hassle with using
the same card for login to the EMR as for opening doors. This leads to a great risk of leaving the
card behind and not being able to open a door in an acute situation. The smart card login does not
always work, cumbersome and dangerous in acute situations”
Two of the answers contained direct suggestions for how the authentication
methods could be improved. These two are cited below.
”It takes time to open the computer with the smartcard, logging out when you pull the card,
forgetting the card in the computer, even though it is in the ER my data is available. I would like it
if the card was wireless and gave access when I am within 10 cm from it”
”When I use different computers it would have been more convenient to launch the system where I
left of at the previous computer. Now username and passwords and additional software (Lab-
module) needs to be selected before overview and the correct patient can be chosen.”
The participants were also asked about the main reasons why they need to read, and
the main reasons why they need to write information in an EMR using someone
else’s credentials.
The word frequency analysis of reasons for reading using someone else’s account
revealed that someone else being logged in was a common reason, time was another
one (as in it takes to much) and the acuteness of the situation was a third. The
content analysis confirmed this and added some more nuance, as shown in Table 8. Table 8 Categories of reasons why participants need to read information using someone else’s login (n=45)
Category Number of answers
coded with the category
The computer is already logged in with another account 15
It saves time due to convenience 14
It saves time since the acuteness of the situation
demands it
13
I have forgotten/left my card in another computer 8
There is a lack of computers 8
There are technical problems with my login 5
We work as a team and only one person can/needs be
logged in
4
A colleague asks for my opinion 3
The password expired 2
36
Below are some citations from the answers that further illustrates the more common
reasons for using others accounts to read information in the EMR:
“Maybe I am writing a referral or another document that locks my computer. The colleague/nurse
wants an advice about a patient and I will then read the info directly from his/hers screen. In that
way I avoid the hassle of entering that patients journal, which may not be the most correct way since
I do not get the care relation to that patient. “
“Not access to one computer per user and in acute situations one person logs in to the computer
and then it is used by everyone in the room”
“Big buildings, I circulate and making rounds with other physicians and have no possibility to log
in on my own computer every time. It is physically impossible since there are no extra computers,
but even if there was it would not be possible due to the time we have available”
“I need information fast and my card is locked in the computer where I am logged in. I am in another
part of the hospital/clinic and since it takes several minutes to log in to a new computer I have not
brought my card but have let it stay in another computer to save time”
“Someone is always logged in to a computer. In acute situations it is not ever interesting to log out
and then log in using your own credentials but you rather have to get the information you need fast”
“Colleague logged in to the only computer in e.g. triage or ER. All/most in the room need to take
different information from the patient record at the same time. I see no danger in a colleague reading
the record using my account in this situation”
“There are (almost) not absolute reasons, relative reasons are stress, forgot the card etc. where
stress and laziness takes over”
The responses to the question regarding reasons for writing information using
another person’s account were too few to make a meaningful analysis of word
frequency. The content analysis (Table 9) however revealed some differences
compared to the results of the question regarding reading of information.
37
Table 9. Categories of reasons why participants need to make notes using someone else’s login (n=20)
Category Number of answers
coded with the category
It saves time due to convenience 6
I do it by mistake 5
We work as a team and only one person can/needs be
logged in
4
There are technical problems with my login 4
It saves time since the acuteness of the situation
demands it
2
Below are some citations that illustrate the categories identified.
"By mistake when I haven't realized that someone else has logged into a computer that I use"
"We are more than one caregiver with the patient and it takes too long to change user"
"Has happened when I am in a hurry and do not have time to log in, or that my card is still in my
workstation and I am far away from it and do not have time to go and get it"
"Technical problems with my own account"
3.2.3. What concerns do healthcare professionals have about possible
problems due to the way authentication methods are used?
In order to investigate the third research question of the thesis the participants were
asked if they could see any dangers with their accounts being used by their
colleagues. Seventy-seven percent of the participants (n=85) considered it to be a
problem if colleagues use their accounts to read information in a medical record
system while 23% did not see a problem with this.
An observation from these results, were that physicians were a lot less likely than
the other professions to consider this a problem, as seen in Figure 9.
38
Figure 9. Amount of participants who see a danger in letting someone else use their accounts for reading in an EMR divided into groups of profession (n=85)
Fisher's Exact Test for Count Data showed a significant association between
professional role and the self-assessment of risk (p<0,01). Nurses were more
inclined than physicians to state a risk. Here nurses and assistant nurses were
grouped together since there answers were similar in their distribution. As a
reminder, we do not know whether the sample of physicians and nurses was
representative for the population and can thus not generalize this finding. The
groups used for the test can be seen in Table 10.
Table 10. The table used for Fisher's exact test for differences in the opinions of dangers with having someone else use your account to read information (n=85)
Yes No
Physicians 10 10
Nurses/Assistant nurses 47 8
As previously mentioned, there is a difference in the information security issues
when it comes to reading information compared to writing information. The
participants were therefore again asked the same question but regarding the practice
of having someone else make notes in an EMR using their accounts.
This time, 91% of the participants (n=85) considered it to be a problem if colleagues
used their accounts to enter information into a medical record system, while nine
percent did not see any problems.
50%
87%78%
50%
13%22%
0%
20%
40%
60%
80%
100%
Physician Nurse Assitant Nurse
Can you see any dangers with a colleague of yours using your account to read information in
an EMR?
Yes No
39
Again, the physicians seemed less likely to see a problem with this, as can be seen
in Figure 10. However, this time the Fishers Exact Test did not reveal a significant
difference between the groups of physicians and nurses/assistant nurses.
Figure 10. Amount of participants who see a danger in letting someone else use their accounts for making notes in an EMR divided into groups of profession (n=85)
In order to understand what problems employees of acute healthcare see when it
comes to having their accounts used by someone else the participants were asked
to state the dangers that they could see with colleagues using their accounts to read
information in an EMR system.
The word frequency analysis of the answers regarding this suggested that
“Logged”, “Patient” and “Confidentiality” were words that could lead us to an
understanding of the problems here. The content analysis of these free text answers
generated 12 problem categories that made the picture clearer that can be seen in
Table 11.
80%
93%89%
20%
7%11%
0%
20%
40%
60%
80%
100%
Physician Nurse Assitant Nurse
Can you see any dangers with a colleague using your account to make notes in an EMR?
Yes No
40
Table 11. Categories of the dangers participants see with colleagues using the their accounts to read information (n=62)
Category Number of answers
coded with the category
I may get in trouble after a log review 30
There are confidentiality problems 26
Someone may use a computer for something that is not
allowed
6
Someone may forget that the login is borrowed and take
action or document in my name
5
I may get into legal problems 5
I am responsible for what is done 5
I have no control for what is done in my name 2
Traceability is broken 2
Patient safety is at risk 2
Mistakes that are made are logged on me 1
Prescriptions may be done in my name 1
Patients may get hold of my name in the logs 1
Below are some citations that illustrate these categories further:
“It is not transparent – e.g. one does not know when someone has read something since you have
left the smart card in the computer. Sometimes I see patients in the list of previously opened records
that I know I have not entered. Further the system does not server the work flow but the work flow
shall adapt to the system. It makes it impossible for the ones that are to review my access to records
(which is extremely important in order for us to preserve our legitimacy as a profession) to
understand what was done and what was not. The review becomes impossible and I risk the
consequence of being prosecuted for data breach when that is not the case.”
“If I am in the room and can see what he or she reads it is acceptable, it is not if I forgot my card
and am not present”
“Confidentiality. Must not happen. That’s it!”
A word that was often used in the answers regarding dangers of someone else
writing information using their accounts, and that point towards what was seen a
problematic here was “Responsible”. The content analysis generated six categories
of problems that added more information to this, as can be seen in Table 12.
41
Table 12. Categories of the dangers participants see with colleagues using the their accounts to make notes in an EMR (n=70)
Category Number of answers
coded with the category
I may become responsible for things (ordinations,
treatments etc.) that I have not performed
29
Traceability is lost 11
Confidentiality problem 10
Things written in my journal that I cannot stand for quality
or content wise
7
Information may be wrong and I cannot correct it since I
do not know
5
Patient safety is at risk 5
Below are some citations that further illustrates these categories:
“That I who have nothing to do with a patient, will read what is written. That would be breaking
confidentiality in a way I believe”
“People may get access to records that they should not in my name, they write in my name and even
if we can in theory go back afterwards with our own login and sign notes that someone else has
done. I don’t think that this happens”
“If treatment is wrong my name will be responsible”
“Can be in my name. No idea how it is searched etc. When we use each other’s login its usually
very acute or when I watch over someone’s shoulder.”
“As far as I know this is extremely rare and rather a mistake. It complicates communication in the
practice of care since you will misunderstand who met the patient. Furthermore it is juridically
complicated if it was to become a court case.”
“I will be responsible for actions/notes that I have not performed with a patient that I have no care
relation to. If questions etc. arise I will not be able to answer what I meant with a note/action which
affects patient safety/confidentiality and maybe the patients feeling of integrity. “
3.3. Summary of results
As can be seen from the results presented here, there are problems with how
authentication methods are used in acute healthcare. The healthcare professionals
are in many cases not authenticating to medical record systems as they should,
42
many of them experience problems with the methods they use, and they have
concerns about the way they use authentication methods.
43
4. Discussion
4.1. The research questions
The survey produced results that were in many ways relevant for the research
questions. Under the following sub-sections each of the three research questions
will be discussed separately.
4.1.1. Are HCPs in acute healthcare using authentication methods as they are intended to be used?
The practice of sharing credentials seemed quite rare among the participants with
91 % saying that they did not know anyone else's credentials and 88 % saying that
no one else should have known theirs. This can be put into some kind of context
by the observations of Koppel et al. (34) where password sharing seemed to be the
norm and sticky notes with passwords were found in most clinics they visited.
However, it should be noted that the credentials of about every tenth participant in
the sample was known by someone who was not the owner and person
responsible for what could be done using that credential.
In retrospect, maybe an additional question should have been asked here – “how
often do you share your credentials?”. This could have been useful since the
questions asked in the questionnaire were dependent on the participants’ memory
and estimation of their colleagues’ abilities to remember passwords. However, it
can be inferred – from the answers to these questions in combination with how
common the practice of using someone else's login was – that accounts were
probably often shared by users not signing out or by users handing over access to
a computer where they were already logged in, and not by users giving away their
credentials. Comments validating this claim were commonly submitted in the free
text answers.
The amount of participants who reported that they sometimes need to read
information using someone else's account or that someone else needs to do this
using their accounts was very high (58 % respectively 67 %). The observation of a
difference in this need, between physicians and the other professions, can
probably be explained by differences in work flows. Physicians are more likely to
be called in for a consultation or quick procedure, while the nurses are often more
statically assigned to the patient.
The practice of using someone else's account to enter information in an EMR
system was less common than that of using it for reading, which seems
reasonable. However, it is still very high, especially considering that traceability is
44
explicitly mentioned in the Patient Data Act. Twenty-eight percent of participants
said that they are sometimes entering information using someone else's account
and between 30 % and 42 % (depending on how we interpret the response "I do
not know") said that others are sometimes using their accounts to enter
information.
All in all, it seems that the indications from previous studies (21-23), that there are
problems with the way that authentication is handled by HCP in their daily work,
are validated by this study. HCPs share passwords to some extent, and they use
each other’s accounts both to read and enter information into computer systems.
The effectiveness of authentication in acute healthcare seems rather poor. Many
times the person performing an action in an IT-system is not the person who
authenticated to the system. This raises the question if the log review that health
care providers are by law obligated to perform is really accomplishing what it
intends to. One can also wonder if the individualistic approach to access control is
really suitable to the work flows of acute health care.
4.1.2. Which are the main problems that the HCPs experience with current authentication methods?
The amount of participants who said they experienced problems with the
authentication methods they used in their work place was 58 %.
An observation in the results regarding experience of problems with
authentication methods was that the number of participants who reported that they
experienced problems with authentication methods was increasing with every step
of self-reported computer skills. This was probably due to both increased usage,
and to increased awareness in the groups where experienced problem were more
common. One could therefore argue that the actual problems with authentication
methods may be greater than what the 42 % who reported that they did not
experience any problems may lead us to believe.
Some of the problems the participants experienced were rather expected. The top
category identified in the content analysis was that logging in took too much time,
and the second most occurring was that there were too many credentials to keep
track of.
A more surprising and interesting problem, that points towards an unwelcome side
effect of the implementation of smart cards, was that some participants experience
a problem in that the cards are used for many different purposes. That it was not
45
possible for them to comply with the practice of always taking the card out of the
computer when they leave it.
Another unexpected finding was that there were plenty of participants that
reported that there was a lack of an automatic logoff procedure. This seems like
something that should be implemented as a standard security measure.
A lot of different reasons with the common goal of saving time were common
explanations for the need to use colleagues’ accounts to read information. The
amount of comments that explicitly mentioned the acuteness of the situation as a
reason was about equally common to comments that expressed the reason in more
general terms of saving time. This could be a matter of the participants expressing
themselves in different ways, but it may be important to think about the possibility
that habituation may take place. If you consider something to be acceptable under
certain circumstances, you may later on find that you consider the same thing to
be acceptable under totally different circumstances.
In the comments regarding writing information using someone else’s account it
was also common to mention saving time as a reason. It was however also
common to say that it happened by mistake, or that working as a team made it
necessary or reasonable to use just one account.
Other comments that should be noted are the ones mentioning lack of computers
and technical problems as reasons for using others accounts. When it comes to
these two types of comments one cannot do much else than conclude that finding
a workaround by asking to use someone else’s account seems like the only way to
go for someone who needs to get work done. It should be mentioned in this
context that according to the report “E-hälsa i landstingen” from 2014 by the
SLIT-group, the rate of computers in healthcare is about one user per computer
(35). So the lack of access to computers reported may be an indication to that
resource allocation or office space planning needs to be looked into.
4.1.3. What concerns do HCPs have about possible problems due to the
way authentication methods are used?
When it came to having someone else use your account, it is interesting to note
that physicians were less likely than nurses to consider this a danger. This is
probably because physicians are higher in the hierarchy and have more
permissions (since they have the full medical responsibility of the patient).
Another possible reason is that a physician can more easily explain why she had a
reason to read something in case of a review. It is, after all, part of their work to
be consulted by co-workers; but for a nurse to explain why he has been reading a
46
surgical note in the medical record of a patient that he did not care for may be
more difficult.
Something else that should be noted, is that 23% of the participants did not
consider letting someone else use their accounts for reading a danger. It may be
that the most common situation for letting someone use your account is when you
are asked to let them and then remain present for the time that they use it. If this is
not the case there is definitely a need for general security awareness training.
It was more common to consider it a danger if someone else was using your
credentials for entering information, however, nine percent of the participants did
not see a danger with this. Again, it seemed more common for physicians to have
the opinion that this was not a danger. It is also interesting to note how this
question was interpreted, since the response that you may become responsible for
something you have or have not done was a lot more common than that patient
safety and lost traceability was at risk.
Regarding the theories presented in chapter 1.4, it seems that neither the
deterrence theory nor the theory of planned behavior are very good predictors for
compliance in this case. The participants acknowledge the principles behind the
theories in their answers, but their behavior seems, in many cases, to be
unaffected. The suggestion that emotional and moral factors are important (10)
may be correct. However not for predicting compliance, but rather the opposite,
by providing justification that it is acceptable to put patient safety before good
information security practice.
4.2. The results in comparison to previous studies
There were both similarities and differences in the results of this survey compared
to the studies mentioned in the background.
For example, the practice of documenting work using someone else’s account was
a lot less common in this survey than it was in the study by Faxvaag et al. (21).
They found that 21 % documented using someone else’s account half of the time
or more, while only six percent of the participants in this study did this once a
month of more often. The Faxvaag et al. study is four years old and a lot has
probably happened in these four years when it comes to education and
information about the laws governing patient data and the log reviews conducted
to maintain this law. Also, the situation may be different between Norway and
Sweden.
47
Compared to the observations of Åhlfeldt and Ask (22), this survey shows both
similarities and differences. Just as can be seen in the results of the survey they
observed that users complained about the time the login procedure takes, and that
user left their computers unguarded while being logged in, and that they let
colleagues use computers that they were logged into. However, their conclusion
was that users do not understand “why logon procedures and authority control
systems exist”, while my results show that the HCPs are rather well aware of the
problems but that they find it impossible to use authentication as intended due to
the work that they need to perform.
Cazer and Dawn also concluded that healthcare users were not very security
savvy, and that they were unaware of what ramifications a password breach would
have (36). Their proposed solution was the implementation of stricter password
policies and more security awareness training. However, neither of these seems to
be proper solutions in the light of my survey, since the users here did show rather
good knowledge about the problems but still used their credentials in ways that
are less than optimal and in ways that a password policy will not affect.
4.3. The method
There are several aspects to discuss regarding the methods used for data collection
in this thesis. One being the selection of participants. It was realized early on that
in order to get truthful answers (or even answers at all) the survey had to be
distributed in the “right” way. After all, the survey dealt with questions that could
be perceived as sensitive by the participants. We asked them about their behaviors
in information security practices; practices that are governed by policies, and
practices that could be seen as violations to workplace rules if they are not
adhered to. In discussions between the author and the supervisors and the group of
experts from MSB it was decided that the right way was to establish contact with
managers of acute clinics, and ask them to reach out to their employees. The basis
for this decision was the experience from previous surveys conducted by the
experts.
This approach did of course come with some negative side effects. The managers
can possibly have selected the employees that they believed were most interested
in the survey. There were a few indications of this in the answers we got from the
managers, as shown in the quotes below.
“This could be worth participating in, it seems to be no big work load. Grateful if you forward this
to suitable co-workers and with deadline in a week”
“I will send this forward to suitable employees and hope that they participate!!”
48
Another possible source of bias is which managers that decided that their
employees should participate. It is possible managers who saw information
security as important were more inclined to forward the survey to their
employees.
Even though the method of selection was not perfect, it was decided that it was
the best possible one for the project. The ideal situation would of course be to
have a randomized sample; but there was no database were we could find all the
people who work at acute clinics; and the secretaries of the hospitals could not
provide us with this information. Even if there had there been a database where
we could get contact information for employees in acute healthcare, it may still
not have been the ideal way to reach the participants. The sensitive nature of the
survey had most likely resulted in a low rate of answers if we had distributed the
survey directly to physicians and nurses. This was at least the opinion of the
experts during the workshop.
When it comes to bias in the actual sample of participants it is possible that the
ones who had an interest in the topic or who were just more law abiding were the
ones who took the time to answer the survey.
Another form of bias that needs to be addressed here is recollection bias. People
are likely to underreport their own behavior in surveys when sensitive questions
are asked (27), and many of the questions of this survey can definitely be
categorized as being sensitive.
The sum of these possible biases is that the problems and misbehaviors identified
in the results of the survey are likely occurring more often in the population than
in the sample, due to underreporting and to non-response bias of the people who
can be assumed to misbehave the most. It should at least be safe to assume that
the situation in the population is not “better” than what the results show.
4.4. The participants
As can be seen in the first subsection of the results chapter, the participants of the
study represent various categories of HCPs in regard to geographic location, age
(with the exception of people under 25 years of age), profession and computer
literacy.
The distribution of participants in regard to computer skills indicate that the
aforementioned possible selection bias towards HCPs with an interest in the topic
of the survey may not be an actuality. Most of the participants said that they use
IT at work and for online e-services for personal use.
49
About 70 % of the participants said that they had been informed about rules
regarding how to handle their login information and about 70 % of the ones who
had, said that they would be able to account for most of the rules if they were
asked. Having 50 % of the participants being well informed about the policy could
suggest that the sample is representing the population quite well. Information
Security Awareness and knowledge about an organizations specific policies are
factors connected to compliance with good information security practice (10).
4.5. Implications of the results
Authentication is, as mentioned in the beginning the basis for access control. It is
what ties the identity of the actions in an IT-system to an actual person. Without
properly used authentication methods we do not have functional access control.
We can work all we want on fine tuning access logging, creating dynamic access
control rules, and writing strict information security policies, but if the identities
of the users are not correctly logged this is not of much use.
The patient confidentiality is maintained primarily by the log reviews, and these
reviews are based on the assumption that logging is correct and that the person
whose account were used to access (or input) information belongs to the person
who actually was seated in front of the computer at the time the information was
accessed. As can be seen in the results of this study many of the participants use
their colleagues’ accounts to access information in EMRs, and some also to enter
information. Thus, it can be questioned if the reviews really are producing what
they are intended to.
The solution to the problems described here may be as simple as providing the
acute health care professionals with more computers or maybe a personal mobile
solution to EMR access. Many participants pointed to the time it takes to log in as
a problem; a device in their pockets constantly logged in ready to pick up and
unlock for access could probably solve most of the issues described here; but may
also introduce new ones. The intended design goal is as we remember by now not
always the result.
Or maybe we need to pose the question if a standardized security method with an
individualistic approach to authenticating the users is not the best fit for the
environment. In a collaborative environment like the one described in this thesis,
users will probably regardless of the solution, authorize and grant each other
access to information in ways that cannot be logged by a system.
50
4.6. Suggestions for future work on the topic
A possibly interesting study building upon the results from this thesis could be to
compare answers from different types of healthcare environments or even
environments outside of healthcare. This would further clarify if there are
significant differences on the demands that workflow puts on authentication
methods.
A very specific thing that should be looked into is why as many as 23% of the
participants do not see a problem with someone else using their accounts to read
information, and as many as 9% do not see a problem with having someone write
using their account.
The problems with authentication in acute healthcare described in this thesis are
serious, and finding solutions to the problems is an important future research
topic. A technical solution like the one proposed on the previous section, using
mobile devices, would likely put new demands on the IT-infrastructure as well as
the work flows of the acute health care professionals and thus be material for a lot
of research before it could and should be implemented. A solution of collaborative
authentication seems to be more of a fundamental information security principle
challenge, but still maybe something that could be researched?
51
5. Conclusion The results from the survey show that there are problems to be dealt with in how
HCPs in acute healthcare use authentication methods. The problems seem to be
due to conflicts in the way the work must be done and the way that the
authentication methods are disruptive to this.
There were positive things in the results, like that it is not very common to share
credentials with colleagues. However, there were also alarming things like that
they still manage to use each other’s accounts for both reading and entering
information in EMRs frequently, thus making the access logging more difficult to
interpret.
With more than half of the participants experiencing problems with the
authentication methods it seems that this is something to take seriously and that
new solutions must be found, or that the existing ones must be adjusted to fit the
environment better. The implementation of smart card solutions may have solved
some problems, but also introduced new ones. Such as, users forgetting the cards
or leaving them in the computers on purpose to keep them from being used by
others.
The concerns of the HCPs regarding the problems they experience with
authentication methods were primarily about problems that they may face in case
of reviews and of patient confidentiality. However, it was surprising to see that
many participants did not see any dangers with sharing their accounts.
The health informatics community should be able to conclude from this thesis that
security mechanisms used in healthcare is a topic worth considering in future
research.
52
6. References
1. Heckle RR, Lutters WG. Tensions of network security and collaborative
work practice: Understanding a single sign-on deployment in a regional
hospital. Int J Med Inform. 2011;80(8):49-61.
2. SFS:2008:335 Patientdatalagen. Stockholm: Socialdepartementet.
3. SOSFS 2008:14: Socialstyrelsens föreskrifter om informationshantering
och journalföring i hälso- och sjukvården. Stockholm: Socialstyrelsen.
4. Bishop M. The Basic Components. In Bishop M. An Overview of
Computer Security. Boston: Pearson; 2011. p. 1-27.
5. Bishop M. Hybrid Policies. In Bishop M. Introduction to Computer
Security. Boston: Pearson; 2011. p. 83-95.
6. Röstad L. Access Control in Healthcare Trondheim: Norwegian University
of Science and Technology; 2009.
7. Ferreira A, CCR, Antunes L, FP, Oliveira-Palhares E, CDW, et al. How to
break access control in a controlled manner. CBMS. 2006:847-854.
8. Jones E. www.hipaa.org. [Online].; 2009 [cited 2015 February 06.
Available from: http://www.hipaa.com/2009/07/person-or-entity-
authentication-what-to-do-and-how-to-do-it/.
9. Bishop M. Authentication. In Bishop M. Introduction to Computer Security.
Boston: Pearson; 2011. p. 171-199.
10. Sommestad T, Hallberg J, Lundholm K, Bengtsson J. Variables influencing
information security policy compliance - A systematic review of
quantitative studies. IMCS. 2014;22(1):42-75.
11. Bishop M. Security Policies. In Bishop M. Introduction to Computer
Security. Boston: Pearson; 2011. p. 45-59.
12. D'Arcy J, Herath T. A review and analysis of deterrence theory in the IS
security literature: making sense of the disparate findings. Eur J Inf Syst.
2011 Nov;20(6):643-658.
13. Ajzen I. The Theory of Planned Behavior. Organ Behav Hum Decis
Process. 1991;50(2):179-211.
14. Cresswell KM, Sheikh A. Undertaking sociotechnical evaluations of Health
Information technologies. Inform Prim Care. 2014;21(2):78-83.
15. Baxter G, Rooksby J. Health and Social Care. In LSCITS Socio-Technical
Systems Engineering Handbook. St Andrews: University of St Andrews;
2011.
16. Baker WH, Wallace L. Is Information Security Under Control?
Investigating Quality in Information Security Management. IEEE Secur
Priv. 2007 Jan;5(1):36-44.
17. Appari A, Johnson ME. Information security and privacy in healthcare:
current state of research. IJIEM. 2010;6(4):279-314.
53
18. Berg M. Patient care information systems and health care work: a socio-
technical approach. Int J Med Inform. 1999;55(2):87-101.
19. Scott PJ, S BJ. STAT-HI: A Socio-Technical Assessment Tool for Health
Informatics Implementations. Open Med Inform J. 2010: p. 214-220.
20. Komanduri S, Shay R, Gage Kelley P, Mazurek ML. Of Passwords and
People: Measuring the Effect of Password-Composition Policies. CHI Conf
Proc. 2010:2595-2604.
21. Faxvaag A, Johansen TS, Heimly V, Melby L, Grimsmo A. Healthcare
Professionals' Experiences With EHR-System Access Control Mechanisms.
Stud Health Technol Inform. 2011;169:601-605.
22. Åhfeldt RM, Ask L. Information Security in Electronic Medical Records: A
Case Study with the User in Focus. In Khosrow-Pour M, editor. Innovations
Through Information Technology. Hershey, PA: Information Resources
Management Association; 2004. p. 345-347.
23. Deursen Nv, Buchanan WJ, Duff A. Monitoring information security risks
within health care. Comput Secur. 2013;37:31-45.
24. Zhao X, Johnson E. Information Governance: Flexibility and Control
through Escalation and Incentives. In WEIS; 2008.
25. Brender J. Questionnaires. In Brender J. Handbook of Evaluation Methods
for Health Informatics. Amsterdam: Elsevier; 2006. p. 163-172.
26. Silic M, Back A. Information security Critical review and future directions
for Research. IMCS. 2014;22(3):279-308.
27. Tourangeau R, Yan T. Sensitive questions in surveys. Psychol. Bull.
2007;133(5):859-883.
28. Meho LI. E-mail Interviewing in Qualitative Research: A Methodological
Discussion. J Am Soc Inf Sci Technol. 2006: p. 1283-1295.
29. Jansen H. The Logic of Qualitative Survey Research and its Position in the
Field of Social Research Methods. Forum Qual Soc Res. 2010;11(2).
30. Lövtrup M. Nu vill alla sjukhus ha akutläkare. Läkartidningen. 2015
Apr;112:18-19.
31. Stemler S. An overview of content analysis. PARE. 2001;17(7):137-146.
32. Zhang Y, Wildenmuth BM. Qualitative Analysis of Content. In
Wildenmuth BM. APPLICATIONS OF SOCIAL RESEARCH METHODS
TO QUESTIONS IN INFORMATION AND LIBRARY SCIENCE.
Westport, Conn: Libraries Unlimited; 2009. p. 308-319.
33. McDonald JH. Handbook of Biological Statistics Baltimore: Sparky House
Publishing; 2014.
34. Koppel R, Smith S, Blythe J, Kothari V. Work arounds to computer access
in Health Care organizations: You want my password or a dead patient?
Stud Health Technol Inform. 2014;208:215-220.
54
35. Jerlvall L, Pehrsson T. E-hälsa i landstingen SLIT 2014. [Online].; 2014
[cited 2015 05 10. Available from:
www.inera.se/Documents/OM./eHlsa_i_landstingen_SLIT_2014.pdf.
36. Cazier J, Dawn M. How secure is your information system? An
investigation into actual healthcare worker password practices. Perspect
Health Inf Manag. 2006 Sep; 8(3).
55
7. Appendices
56
Appendix A Letter to the participants
57
Appendix B Letter to the managers
Hej %NAMN%.
Jag heter Tom Andersson och arbetar som analytiker på Myndigheten för samhällsskydd och beredskap (MSB). Vi har bland annat till uppgift att stödja organisationer i deras säkerhetsarbete. Under våren 2015 samverkar vi med Karolinska institutet (KI). Vi genomför en studie av inloggningsrutiner för it-system i akutsjukvården. Det sker i form av ett examensarbete på KI. Målet är att belysa vikten av verksamhetsanpassade säkerhetssystem. Det är viktigt för såväl arbetsmiljö som patientsäkerhet. Akutsjukvård är i fokus eftersom verksamheten ställer höga krav på effektiv informationshantering. För ändamålet hoppas vi på din medverkan. I korthet skulle den innebära att du ber några medarbetare, förslagsvis tre, att svara på en kort webbenkät. För testpersoner har det tagit mellan 3 och 5 minuter att fylla i enkäten. Vi vänder oss till läkare, sjuksköterskor och undersköterskor i akutsjukvården. Det är givetvis frivilligt att delta. Alla svar är anonyma. Inga person- eller organisationsuppgifter samlas in. Inte heller några digitala adresser. Länk till webbenkäten: https://sv.research.net/s/akutinlogg Länken skickas till medarbetarna. Ett informationsbrev bifogas. Det förklarar syftet. Vidare bifogas en pdf-fil med enkäten för att du som chef ska kunna granska den innan du skickar något vidare. I fall studien väcker frågor svarar vi mer än gärna på mejl eller telefon. Gustaf Claesson är masterstudent på KI som svarar på praktiska frågor. Huvudhandledare är professor Sabine Kock vid KI. Jag själv är biträdande handledare. Kontaktuppgifter: Gustaf Claesson: [email protected], 076 677 93 14 Sabine Koch: [email protected], 08 524 871 49 Mina uppgifter finner du nedan. Om du önskar skickar vi masteruppsatsen när den är klar (juni 2015). Vänligen meddela mig. Vänliga hälsningar Tom Andersson, Senior analytiker
58
Appendix C Follow up letter to the managers
Hej %NAMN%.
Jag heter Tom Andersson, analytiker på Myndigheten för samhällsskydd och beredskap (MSB).
Det här brevet är en uppföljning på ett tidigare brev som du ska ha fått angående en undersökning som MSB och Karolinska institutet (KI) genomför i samverkan. Eftersom vi inte kontrollerar vem som deltar i undersökningen skickar vi ett uppföljande brev till chefer i akutsjukvården som vi inte har haft någon kontakt med.
I fall du redan har delgett information till medarbetare, eller bestämt dig för att inte medverka, ber vi dig att bortse från detta brev. Inga fler brev kommer att skickas ut i ärendet.
MSB har bland annat till uppgift att stödja organisationer i deras säkerhetsarbete. Under våren 2015 samverkar vi med KI. Vi genomför en studie av inloggningsrutiner för it-system i akutsjukvården. Det sker i form av ett examensarbete på KI. Målet är att belysa vikten av verksamhetsanpassade säkerhetssystem. Det är viktigt för såväl arbetsmiljö som patientsäkerhet. Akutsjukvård är i fokus eftersom verksamheten ställer höga krav på effektiv informationshantering. För ändamålet hoppas vi på din medverkan. I korthet skulle den innebära att du ber några medarbetare, förslagsvis tre, att svara på en kort webbenkät. För testpersoner har det tagit mellan 3 och 5 minuter att fylla i enkäten. Vi vänder oss till läkare, sjuksköterskor och undersköterskor i akutsjukvården. Det är givetvis frivilligt att delta. Alla svar är anonyma. Inga person- eller organisationsuppgifter samlas in. Inte heller några digitala adresser. Länk till webbenkäten: https://sv.research.net/s/akutinlogg Länken skickas till medarbetarna. Ett informationsbrev bifogas. Det förklarar syftet. Vidare bifogas en pdf-fil med enkäten för att du som chef ska kunna granska den innan du skickar något vidare. I fall studien väcker frågor svarar vi mer än gärna på mejl eller telefon. Gustaf Claesson är masterstudent på KI som svarar på praktiska frågor. Huvudhandledare är professor Sabine Kock vid KI. Jag själv är biträdande handledare. Kontaktuppgifter: Gustaf Claesson: [email protected], XXX XXX XX XX Sabine Koch: [email protected], , XXX XXX XX XX Mina uppgifter finner du nedan. Om du önskar skickar vi masteruppsatsen när den är klar (juni 2015). Vänligen meddela mig. Vänliga hälsningar Tom Andersson, Senior analytiker, XXX XXX XX XX
59
Appendix D Survey introduction page
It-säkerhet i akutsjukvård
Denna undersökning genomförs av Karolinska institutet i samverkan med
Myndigheten för samhällsskydd och beredskap. Syftet är att utvärdera hur
inloggning i ITsystem fungerar i akutsjukvården med utgångspunkt i dina
upplevelser som yrkesverksam.
Med inloggning menar vi hur du identifierar dig på en dator eller i ett ITsystem.
Exempelvis, du anger ett användarnamn och ett lösenord, eller du sätter ett kort i
en läsare och anger ett PIN (kod).
Det är frivilligt att delta. Du svarar anonymt på enkäten. Inga person eller
organisationsuppgifter kommer att registreras. Vi kommer heller inte försöka
knyta några resultat till enskilda personer, arbetsplatser eller organisationer.
Alla frågor avser din erfarenhet från din nuvarande arbetsplats.
Enkäten tar 3 till 5 minuter att besvara.
Enkäten är uppdelad i sidor. När du är klar med en sida klickar du på knappen
"Nästa" längst ner på sidan. På sista sidan måste du klicka på knppen "Klar" för
att dina svar ska registreras.
Tack på förhand!
Gustaf Claesson, masterstudent, KI
Tom Andersson, senior analytiker, MSB
Sabine Koch, professor, KI
Epost: [email protected]
60
Appendix E The survey results
QUESTION 1
Which of the following methods for authentication do you use?
n=89
Answer Percentage Number
Username + Pasword 82,0% 73
HSAID + Password 23,6% 21
SITHS-card+ PIN 77,5% 69
Smartcard + PIN 0,0% 0
Other methods 6,7% 6
Free text answers to the choice Other methods
Log in using only user name to input information in the ambulance.
Log in using personal number in systems that do not contain sensitive information
Shared login with username and password
HSAID + RSA code generator (for remote login)
E-service card and password (of at least eight characters)
I have to login many times a day using username and password in many different systems
QUESTION 2
Do you experience any problems with the methods you use for logging in?
n=89
Answer Percentage Number
Yes 58,4% 52
No 41,6% 37
QUESTION 3
Kindly describe the problems that you experience with todays methods for logging in.
n=49
Word frequency analysis for question about what problems the participants face with authentication methods.
Word
Number of answers that contain the
word
Percentage of answers that contain the
word
Card 15 30,6%
61
Password 12 24,5%
Come 12 24,5%
Card in computer 12 24,5%
Much time 10 20,4%
Categories of problems participants experienced with authentication methods
Category
Number of answers coded
with the category
Logging in takes too much time 21
There are too many different credentials to keep track of 14
I forget to take my card out of the computer 9
It is problematic that the card has multiple functions (log in to computer, open doors, use printer etc.) 8
There is no automatic log off feature 6
There are technical problems with the card readers 6
The passwords expire to often 3
Passwords are easily forgotten 2
The password policy makes me write the password down 1
The password policy makes me chose weak passwords 1
QUESTION 4
Have you at any time been given information about rules governing the use of login information?
n=86
Answer Percentage Number
Yes 70,9% 61
No 20,9% 18
I do not know 8,1% 7
QUESTION 5
If a new colleague would ask you about the rules, would you be able to account for them?
n=61
Answer Percentage Number
Yes, completely 16,4% 10
Yes, for the most part 54,1% 33
Yes, to some extent 23,0% 14
No 6,6% 4
62
QUESTION 6
How often is it necessary for you to read information in an EMR using someone else's account?
n=85
Answer Percentage Number
Daily 14,1% 12
At least once a week 16,5% 14
At least once a month 7,1% 6
Less often 21,2% 18
Never 41,2% 35
QUESTION 7
State the most importatn reason why you need to use someone else's account to read information in an EMR.
n=45
Word frequency analysis for question about reasons why participants’ need to read information using someone else’s login
Word
Number of answers that contain the
word
Percentage of answers that contain the
word
Logged in 14 31,1%
Patient 11 24,4%
Log 11 24,4%
Time 8 17,8%
Acute situations 5 11,1%
Categories of reasons why participants’ need to read information using someone else’s login
Category
Number of answers coded
with the category
The computer is already logged in with another account 15
It saves time due to convenience 14
It saves time since the acuteness of the situation demands it 13
I have forgotten/left my card in another computer 8
There is a lack of computers 8
There are technical problems with my login 5
63
We work as a team and only one person can/needs be logged in 4
A colleague asks for my opinion 3
The password expired 2
QUESTION 8
How often does a colleague of your use your account to read information in an EMR?
n=82
Answer Percentage Number
Daily 13,4% 11
At least once a week 20,7% 17
At least once a month 13,4% 11
Less often 19,5% 16
Never 23,2% 19
I do not know 9,8% 8
QUESTION 9
Can you see any dangers with a colleague of yours using your account to read information in an EMR?
n=85
Answer Percentage Number
Yes 76,5% 65
No 23,5% 20
QUESTION 10
State the greatest danger that you see with a colleague using your account to read information in an EMR.
Word frequency analysis of the dangers with colleagues using the participants credentials to read information
Word
Number of answers that contain the
word
Percentage of answers that contain the
word
Medical records 19 30,7%
Logged 13 21,0%
Patient 13 21,0%
Confidentiality 11 17,7%
Colleague 7 11,3%
64
Categories of the dangers participants see with colleagues using the their accounts to read information
Category
Number of answers coded
with the category
I may get in trouble after a log review 30
There are confidentiality problems 26
Someone may use a computer for something that is not allowed 6
Someone may forget that the login is borrowed and take action or document in my name 5
I may get into legal problems 5
I am responsible for what is done 5
I have no control for what is done in my name 2
Traceability is broken 2
Patient safety is at risk 2
Mistakes that are made are logged on me 1
Prescriptions may be done in my name 1
Patients may get hold of my name in the logs 1
QUESTION 11
How often is it necessary for you to make notes in an EMR using someone else's account?
n=85
Answer Percentage Number
Daily 0,0% 0
At least once a week 4,7% 4
At least once a month 1,2% 1
Less often 22,4% 19
Never 71,8% 61
QUESTION 12
State the most important reason why you need to use a colleagues account to make notes in an EMR.
n=20
Categories of reasons why participants’ need to make notes using someone else’s login
Category
Number of answers coded
with the category
65
It saves time due to convenience 6
I do it by mistake 5
We work as a team and only one person can/needs be logged in 4
There are technical problems with my login 4
It saves time since the acuteness of the situation demands it 2
QUESTION 13
How often does a colleague of yours use your account to make notes in an EMR?
n=84
Answer Percentage Number
Daily 0,0% 0
At least once a week 6,0% 5
At least once a month 3,6% 3
Less often 21,4% 18
Never 58,3% 49
I do not know 10,7% 9
QUESTION 14
Can you see any dangers with a colleague using your account to make notes in an EMR?
n=85
Answer Percentage Number
Yes 90,6% 77
No 9,4% 8
QUESTION 15
State the greatest danger you can see with a colleague using your account to make notes in an EMR.
n=70
Word frequency analysis of the dangers with colleagues using the participants credentials to make notes in an EMR
Number of answers that contain the word
Percentage of answers that contain the
word
Number of answers that contain the
word
The note 19 27,1%
Responsible 12 17,1%
66
Stand 12 17,1%
Name 11 15,7%
Writes 9 12,9%
Categories of the dangers participants see with colleagues using the their accounts to make notes in an EMR
Category
Number of answers coded
with the category
I may become responsible for things (ordinations, treatments etc.) that I have not performed 29
Traceability is lost 11
Confidentiality problem 10
Things written in my journal that I cannot stand for quality or content wise 7
Information may be wrong and I cannot correct it since I do not know 5
Patient safety is at risk 5
QUESTION 16
How many of your colleagues may know your login credentials?
n=84
Answer Percentage Number
None 90,5% 76
Only one 4,8% 4
Between two and five 0,0% 0
More than five 0,0% 0
I do not know 4,8% 4
QUESTION 17
How many of your colleagues login credentials do you know?
n=84
Answer Percentage Number
None 88,1% 74
Only one 7,1% 6
Between two and five 3,6% 3
More than five 1,2% 1
QUESTION 18
67
Which age group to you belong in?
n=82
Answer Percentage Number
Under 25 2,4% 2
Between 25 and 45 62,2% 51
Over 45 35,4% 29
QUESTION 19
In what part of Sweden do you primarily work?
n=82
Answer Percentage Number
Northern Sweden (Norrbotten, Västerbotten, Västernorrland, Jämtland, Dalarna, Gävleborg) 9,8% 8
Middle Sweden (Uppsala, Västmanland, Stockholm, Södermanland, Örebro, Värmland) 24,4% 20
Southern Sweden (Östergötland, Gotland, Kronoberg, Jönköping, Kalmar, Blekinge, Västra Götaland, Halland, Skåne) 65,9% 54
QUESTION 20
Which of the following statements describes you the best?
n=82
Answer Percentage Number
I only use computers at work 6,1% 5
I use computers at work, but also for personal use. Then I use computer, smartphones or tablets for accessing e-services on line 50,0% 41
I use computers at work, but also for personal use. I use e-services, but I can also install software on my own computer. 26,8% 22
I have an interest for IT, and can manage an operating system and configure advanced software. 17,1% 14
QUESTION 21
Which is your current profession?
n=83
Answer Percentage Number
Physician 24,1% 20
Nurse 55,4% 46
68
Assistant nurse 10,8% 9
Other 9,6% 8
Free text answers to other:
Medical administrator
Manager
IT-administrator and nurse
Manager
Manager
Programmer (and nurse)
Manager
Care coordinator
Manager