Author: Gustaf Claesson

Transcription

1 Master's Programme in Health Informatics Spring Semester 2015 Degree thesis, 30 Credits Effective Authentication for Acute Healthcare: Acute Healthcare Professionals Experiences of Working with Current Methods of Authentication in Computer Systems Author: Gustaf Claesson Author: Gustaf Claesson Main supervisor: Professor, Sabine Koch, Health Informatics Centre, Karolinska Institute Co-supervisor: Senior Analyst, Tom Andersson, Information Security Governance Section, Swedish Civil Contingencies Agency Examiner: Senior Researcher, Maria Hägglund, Health Informatics Centre, Karolinska Institute

2 Master's Programme in Health Informatics Spring Semester 2015 Degree thesis, 30 Credits Affirmation I hereby affirm that this Master thesis was composed by myself, that the work contained herein is my own except where explicitly stated otherwise in the text. This work has not been submitted for any other degree or professional qualification except as specified; nor has it been published. Stockholm, Gustaf Claesson 2

3 Master's Programme in Health Informatics Spring Semester 2015 Degree thesis, 30 Credits Effective Authentication for Acute Healthcare: Acute Healthcare Professionals Experiences of Working with Current Methods of Authentication in Computer Systems Author: Gustaf Claesson Abstract Background: Good information security practice is an important part of healthcare today. Several previous studies indicate that there are problems in how authentication and access control methods are used by healthcare professionals. Objective: The objectives of the thesis were to describe how authentication methods are used in acute healthcare, what problems the participants experience with authentication methods, and to describe the healthcare professional s opinions about these topics. Methods: Data collection was conducted using a questionnaire with multiple choice and free text answers. Most of the questions dealt with information security practices; for example password sharing, or using colleagues accounts for accessing information. The questionnaire was distributed to managers of 50 different acute clinics in Sweden. The managers were asked to forward it to physicians, nurses and assistant nurses working in acute health care. A total of 89 participants answered the survey. Results: Fifty-eight percent of participants experienced problems with authentication methods. About half of them had good knowledge of security policy and many saw problems on multiple levels with the way they use authentication in IT-systems. Fifty-eight percent of the participants claimed that they need to use their colleagues accounts to access information on a regular basis. Significant differences were seen between physicians and nurses. Conclusion: There are problems with the way authentication is implemented in acute health care. The identity logged is not always the identity of the person performing an action in the system. Further research is needed in order to find solutions that are appropriate for the environment. Keywords: Computer Security, Authentication, Information Security, Healthcare, Compliance 3

4 Table of contents Glossary... 5 List of figures... 6 List of tables Introduction Information security in healthcare Authentication methods used in healthcare Security policies Theories from behavioral information security research Information security in collaborative and stressful environments The quality perspective on security mechanisms The socio-technical approach The need for socio-technical analysis of security mechanisms Aim of the thesis Objectives of the thesis Research questions Method Study design Structured interviews Questionnaire Participants Population Data analysis Ethical considerations Results Description of the participants The research questions Summary of results Discussion The research questions The results in comparison to previous studies The method The participants Implications of the results Suggestions for future work on the topic Conclusion References Appendices Appendix A Letter to the participants Appendix B Letter to the managers Appendix C Follow up letter to the managers Appendix D Survey introduction page Appendix E The survey results

5 Glossary The definitions of many of the following terms are taken from the NIST publication NISTIR 7298 Revision 2 Glossary of Key Information Security Terms by Richard Kissel. Access control The process of granting or denying access to information or objects holding information Authentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system Authorization Access privileges granted to a user, program, or process or the act of granting those privileges. Availability Ensuring timely and reliable access to and use of information CIA The Confidentiality Integrity Availability model for analyzing information security Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Credential An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. EMR Electronic Medical Record HCP Health Care Professional HI Health Informatics Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. SITHS-card Nationally standardized ID card for physical and electronic identification of employees in healthcare. 5

6 List of figures FIGURE 1. AMOUNT OF PARTICIPANTS THAT HAD BEEN INFORMED ABOUT RULES FOR CREDENTIAL MANAGEMENT (N=86) FIGURE 2. AMOUNT OF PARTICIPANTS THAT COULD ACCOUNT FOR CREDENTIAL MANAGEMENT RULES (N=61) FIGURE 3. THE FREQUENCY OF PARTICIPANTS NEED TO READ INFORMATION USING SOMEONE ELSE S ACCOUNT (N=85) FIGURE 4. THE FREQUENCY OF PARTICIPANTS NEED TO READ INFORMATION USING SOMEONE ELSE S ACCOUNT DIVIDED INTO GROUPS OF OCCUPATION (N=85) FIGURE 5. PARTICIPANTS ESTIMATE OF THEIR COLLEAGUES NEED TO READ INFORMATION USING THEIR ACCOUNTS (N=82) FIGURE 6. THE FREQUENCY OF PARTICIPANTS NEED TO MAKE NOTES USING SOMEONE ELSE S ACCOUNT (N=85) FIGURE 7. PARTICIPANTS ESTIMATE OF COLLEAGUES NEED TO MAKE NOTES USING THEIR ACCOUNTS (N=84) FIGURE 8. AMOUNT OF PARTICIPANTS WHO EXPERIENCE PROBLEMS WITH AUTHENTICATION METHODS DIVIDED INTO GROUPS OF IT-SKILLS (N=89) FIGURE 9. AMOUNT OF PARTICIPANTS WHO SEE A DANGER IN LETTING SOMEONE ELSE USE THEIR ACCOUNTS FOR READING IN AN EMR DIVIDED INTO GROUPS OF PROFESSION (N=85) FIGURE 10. AMOUNT OF PARTICIPANTS WHO SEE A DANGER IN LETTING SOMEONE ELSE USE THEIR ACCOUNTS FOR MAKING NOTES IN AN EMR DIVIDED INTO GROUPS OF PROFESSION (N=85)

7 List of tables TABLE 1. SEARCHES FOR AUTHENTICATION RELATED ARTICLES IN PUBMED TABLE 2. SEARCHES FOR AUTHENTICATION RELATED ARTICLES IN GOOGLE SCHOLAR TABLE 3. SEARCHES FOR AUTHENTICATION RELATED ARTICLES IN IEEE EXPLORE TABLE 4. COMPILATION OF SYSTEMS AND THE CORRESPONDING AUTHENTICATION METHODS USED BY THE PARTICIPANTS IN THE STRUCTURED INTERVIEW TABLE 5. THE TABLE USED FOR THE FISHER'S EXACT TEST FOR HOW OFTEN PHYSICIANS NEED TO READ INFORMATION USING SOMEONE ELSE'S ACCOUNT COMPARED TO NURSES (N=74) TABLE 6. THE TABLE USED FOR THE FISHER'S EXACT TEST FOR EXPERIENCE OF PROBLEMS AND LEVEL OF COMPUTER SKILLS (N=89) TABLE 7. CATEGORIES OF PROBLEMS PARTICIPANTS EXPERIENCED WITH AUTHENTICATION METHODS (N=49) TABLE 8 CATEGORIES OF REASONS WHY PARTICIPANTS NEED TO READ INFORMATION USING SOMEONE ELSE S LOGIN (N=45) TABLE 9. CATEGORIES OF REASONS WHY PARTICIPANTS NEED TO MAKE NOTES USING SOMEONE ELSE S LOGIN (N=20) TABLE 10. THE TABLE USED FOR FISHER'S EXACT TEST FOR DIFFERENCES IN THE OPINIONS OF DANGERS WITH HAVING SOMEONE ELSE USE YOUR ACCOUNT TO READ INFORMATION (N=85) TABLE 11. CATEGORIES OF THE DANGERS PARTICIPANTS SEE WITH COLLEAGUES USING THE THEIR ACCOUNTS TO READ INFORMATION (N=62) TABLE 12. CATEGORIES OF THE DANGERS PARTICIPANTS SEE WITH COLLEAGUES USING THE THEIR ACCOUNTS TO MAKE NOTES IN AN EMR (N=70)

8 1. Introduction 1.1. Information security in healthcare Healthcare is an area where information security practices are of high importance. The information stored in IT-systems used by health care professionals is by its nature sensitive, and many times directly connected to the patients by name and/or identification numbers. Everyone who works in healthcare needs to understand that patient information must be handled with uttermost care and according to information security best practice. However there will be times when compromises between security best practices and getting the work done must be made and must be allowed to be made. This is important for the sake of patient safety. Total security is far from a reasonable goal in healthcare. The optimal balance most likely lies in an equilibrium among multiple critera, where tradeoffs in security and usability are equally weighted againts the objectives of the system and the needs of its users (1) as Heckle et al. described it. The Patient Data Act (2) regulates information management in Swedish healthcare. In this act we read that information management in healthcare should be organized in a way that cater for patient safety, good quality and cost efficiency. We can also read that patient information should be managed in a way that maintains the patients and other registered party s confidentiality, and that information must be managed in a way that makes unauthorized access impossible (2). Another more specific policy document that complements the law is The National Board of Health and Welfare s regulations for information management and record keeping in healthcare (3). This document is more practical in its nature and specifies required procedures for health care providers in Sweden. On a practical level these documents inform us that Health Care Professionals (HCPs) should only have access to the patient data that they need in order to perform their work. The definition of what they need is that the HCP is having an active care relation with the patient. Another level of the access control regards information in medical records produced by other caregivers. In this case access is allowed if the HCP has the agreement of the patient and if access to information can be assumed to be of importance for the care of the patient (2). To continue, it is the obligation of health care managers to grant HCPs individual permissions for access to patient data; and in order to maintain the patient s confidentiality they must be able to log who is accessing what within the systems 8

9 that they keep (2). Logging is also important since it is the patient s right to claim to see the logs and also to lock down the access to their medical records if they choose to (2). The legal consequences of unauthorized access to patient data are fines or imprisonment of up to two years (2). A well-known model for analyzing information security is the Confidentiality, Integrity, Availability (CIA) triangle (4). The purpose of this model is to analyze information security as a state of balance between these three concepts. Is it for example more important that the information is protected (confidentiality) or that its state is preserved (integrity) or that it is accessible in a timely fashion (availability)? The three concepts will in some respects work against each other and the end result will be a compromise where you strive to find the right balance for the application at hand. The most obvious conflict is probably the one between confidentiality and availability. It can in the most exaggerate way be illustrated by claiming that total confidentiality of data can be obtained by disconnecting a hard drive putting it in a hole in the ground and pouring concrete in the hole; this will keep the data confidential but also have a drastically negative effect on availability. Designing access control in healthcare is difficult because of the sometimes critical nature of the work, and the fact that timely access to information may be a matter of life and death. If we were to analyze the situation using the CIA model we would have a definitive focus on availability rather than on the confidentiality; at least when it comes to the matter of patient safety. However, patient confidentiality is also a critical matter here and thus compromises will be made. The traditional way to manage access to information is based on the assumption that it can be decided in advance which information a user needs access to; based on for example a user s role within a company; this is called Role Based Access Control (5). If a need for access surfaces the user will probably ask a manager, who will in turn ask the IT-department, who will grant the user the permission he needs. However, in healthcare this is many times not sufficient since it could put the patient safety in danger. We cannot have a situation where a physician needs to access patient information in an acute situation but is met by a message saying Access denied! Contact your system administrator!. The solution to this is called Optimistic access control and is described by Lilian Røstad (6) as when in doubt allow instead of the usual when in doubt deny. The procedure is now that the user is granted certain privileges but can also choose to override the access control in order to gain access to information that he or she deems that there is need for in order to perform the job at hand. The actual 9

10 overriding mechanism is sometimes referred to as Break the Glass (7). The security of the system is in this case maintained by reviewing access logs rather than on the usual preventive methods of denying access. Healthcare managers are as previously mentioned required to perform systematic recurring access log analysis in order to make sure that no unauthorized access to patient data occurs. There is also a requirement to have documented routines in place for how these reviews are to be performed (2, 3) Authentication methods used in healthcare In order to be able to grant a user access to something in a computerized system you first need to verify who the person in front of the computer is. This is called authentication. There are many different methods for authenticating users in IT-systems. The most common is probably the username and password combination; but there are also other ones like software certificates, smart cards, biometric methods etc. The Health Insurance Portability and Accountability Act (HIPAA) which is used in the US requires that vendors of healthcare information systems implement one of the following three mechanisms for authenticating users: the user gives the system something she has, the user gives the system something he knows, the user gives the system something she is (8). These requirements cover all of the above mentioned mechanisms since a smartcard or a certificate is something you have, a password or a PIN is something you know and biometric measurements is something you are. In environments where passwords are used, the users are most likely not allowed to choose a password freely. The system administrator will have implemented a password policy that dictates and enforces certain demands on the passwords that users can choose. The idea behind this is to prevent potential attackers from being able to predict passwords. Common policy criteria for passwords are: length of password exceeding a certain number of characters, and the presence of at least three out of the four different character sets (uppercase letters, lowercase letters, numbers and symbols). Password policies also often dictates how often the password must be changed and if you are allowed to choose a password that you have already used in the system. In environments where smart cards are used, it is common that you also have a PIN that you need to enter when using your card. This is called two-factor authentication. You present the authentication mechanism with something you have 10

11 (the smart card) but also with something that you know (the PIN). This adds a second layer of security since a potential attacker needs to know more than or be in possession of more than one thing in order to break into a system (9) Security policies Information security is often governed by written policies. These policies dictate for example how the users in an organization are supposed to use computers, manage credentials, and behave when working with systems within the organization (10, 11). The policies also describe the consequences of violating the policy in question (10). Policies may vary in their formality and can range from mathematical preciseness to more informally written pieces depending on their intended usage. Well written security policies defines, according to security researcher Matt Bishop (11), what secure means for a specific system or a set of systems. Typically the kind of security policies that are distributed to employees when they start a new job will be very specific to the environment where they are used and adapted to the specific systems that the user will use. They will of course vary in how detailed they are in describing what is and what is not allowed; more security sensitive organizations will usually have more specific and detailed policies (11). Policies should, again according to Bishop, begin in generic statements and then go into more detailed dos and don ts depending on the specific issues that an analysis of threats for the specific environment results in (11). The idea behind this is that the person writing the policy should cover as many potential issues as possible but only have to describe in detail the ones that seem most important. The purpose of information security policies is of course to define the level of security within an organization, but also to increase the security of it by making the employees aware of the rules and the punishments for breaking them Theories from behavioral information security research There are several theories used within the study of behavior in information security. One of the most popular ones is deterrence theory, which is based on the idea that threats of punishment is a good predictor of adherence to good security practice (12). Another one is the theory of planned behavior, which is based on the link between attitude, subjective norms, behavior control and the actual performance of the behavior (13). 11

12 A recent review of compliance factors for security behavior, however, suggests that the deterrence theory is rather poor predictor of information security behavior, while the theory of planned behavior does a fairly good job in this respect. The conclusion was that emotional and moral factors are more important when it comes to predicting user adherence to security policy rather than logic and hard facts (10). In this thesis behavior and information security practice will be analyzed, primarily, as an interaction between the users and the systems. The purpose is to investigate if current authentication methods are appropriate for the environment Information security in collaborative and stressful environments The origins of computer security are found in the military where the implementation of the need to know principle, with its strict focus on confidentiality and on the individual who is granted access to information, was the first formal work of information security (4). Acute healthcare is, in contrast to the military, a place where availability of information, sharing of information and team work are prominent features of the work environment. The potentially stressful task of keeping the patient alive combined with the collaborative environment can be assumed to put special demands on the systems that are implemented and the way that the HCPs needs to able to use them. The following citations are from the article Undertaking sociotechnical evaluations of Health Information technologies by Cresswell and Sheikh and illustrate this quite nicely (14): In all but a few instances managing patients trajectories is a collective collaborative enterprise [the environment is] characterized by the constant emergence of contingencies that require ad hoc and pragmatic responses Things needs to be dealt with on the spot, by whomever happens to be present, and with whatever resources happen to be at hand It seems natural to assume that structural differences on such a basic level could lead to vastly different demands on the security mechanisms used and that methods designed and standardized in another environment may not be well suited for acute healthcare. According to Baxter et al, acute healthcare is one of the most difficult areas of healthcare to implement IT-systems into (15). In the light of this it seems important to study authentication in acute healthcare. Studying the topic in other 12

13 areas of healthcare may also be of importance, but they are likely better suited for standard methods since they have more in common with other administrative workplaces in the workflow The quality perspective on security mechanisms Traditionally information security has been analyzed from a quantitative perspective. The evaluations have often been focused only on the presence or absence of the security mechanisms and not on the quality of how they were implemented, configured or maintained (16). Investigations of security controls have also usually been separated in the different perspectives of technical, operational and managerial controls. The need for a more holistic approach to information security has however been recognized lately (16). The idea of quality management is to ensure consistent products or consistent processes within an organization. In order to accomplish this goal all parts of the work environment and its processes must be subject to quality assurance, planning and control. It seems reasonable that a more holistic view on information security, which is taking into account all the different levels of controls as well as qualitative perspectives of their implementation will lead to better information security; but in order to fully understand the state of information security the analysis needs to be taken even a step further and incorporate the perspective of the users. A system will only be as secure as the behavior of the users lets it be (17). This is also the perspective that takes us into the field of health informatics. Analysis of information security from a health informatics perspective is, in my eyes, not to study information security mechanisms in general but to study how the systems and methods implemented affect and are affected by the work processes in the healthcare domain The socio-technical approach The relationship between users and the IT-systems they work with has been gaining increasingly more interest as a field of research lately, both in general IT and in health care (1, 14, 15, 18, 19). In the literature, this is referred to as the sociotechnical perspective. This way of viewing the interaction can be used to analyze the effectiveness of the actual systems as well as how implementation of IT-related regulations in the end affect the quality of care (17). 13

14 There is research indicating that introduction of technology in healthcare is a potential risk when it is not implemented with consideration to existing work processes (14, 15, 19). The developers intended design goal of a technical solution is not always the same as the result when implemented in an actual environment (18). The socio-technical approach (14, 19) suggests that organizational, human and information technology factors form a system that interacts and shapes each other. The introduction of an IT system will of course change the behavior of the people working with it, but the system should also allow changes to be made due to the work processes of the people. The central idea is to put the user, their work processes and relationships on the center stage instead of approaching system design in a top-down technology centered way (18). The majority of the literature on this topic deals with complex systems and not with specific mechanisms or methods. Socio-technical analysis seems to be considered to be best suited for analyzing complex systems (14). However, the question could be asked if more specific IT mechanisms could also be risk factors when introduced in a standardized way without specific concern for the work processes in place. It seems reasonable that this may be the case especially if we consider mechanisms and methods that are used many times a day. Even though they may be simple and specific in their purpose, they can still have a huge impact on the user s work flow. There are also indications in literature that socio-technical factors are a problem in implementation of security mechanisms. In a study of implementation of a single sign-on solutions in health care, it was seen that a mechanism that works fine in other businesses can actually create security vulnerabilities for the individual user in healthcare. The researchers considered this to be caused by the application of an individually oriented mechanism in an environment that is collaborative in its processes (1). User workarounds in password policy adherence is something that can definitely be considered a socio-technical problem. System administrators implement password policies in order to make the passwords chosen by users more secure, only to see that the policy also affects the user s behavior thus making the end result less secure. Examples of this are: when policy demands make the passwords too complex to remember and the users write them down, or when it makes them choose a new password that is basically the same as the old one with for example a number added at the end (20). The intended design goal is not the end result. In a review by Appari and Johnson, from 2010, it is suggested that while the interaction between users and security mechanisms has been dealt with to some 14

15 extent by mainstream information security research, there has not been much published regarding the situation in healthcare (17). This review was written a few years ago but there is not much that indicates that the situation has changed since then. The tables below displays the number of hits for a few search strings using terms related to the area in the databases PubMed (Table 1), Google Scholar (Table 2) and IEEE Explore (Table 3). Table 1. Searches for authentication related articles in PubMed. Search term Hits Authentication computer user 141 "Security Measures"[Mesh] AND authentication 229 "Security Measures"[Mesh] AND authentication AND attitude 2 "Security Measures"[Mesh] AND computer AND password 67 "Security Measures"[Mesh] AND computer and password and attitude 4 (computer security[mesh Terms]) AND authentication 193 (computer security[mesh Terms]) AND authentication AND user 76 attitude to computer[mesh Terms] AND security 170 attitude to computer[mesh Terms] AND authentication 2 Table 2. Searches for authentication related articles in Google Scholar. Search term Hits allintitle: healthcare authentication 67 allintitle: healthcare password 4 allintitle: healthcare security quality 7 allintitle: healthcare computer security 4 Table 3. Searches for authentication related articles in IEEE Explore. Search term Hits Authentication and healthcare 209 Authentication and healthcare and user 74 Healthcare and password 15 Among these published articles very few are directly relevant for the study of user and security mechanism interaction. Most of them go into technical aspects of 15

16 authentication methods; and the few ones that are taking the users into account mostly look at what they do or fail to do, not why The need for socio-technical analysis of security mechanisms There are indications in literature that health care professionals misuse the authentication methods used by IT-systems in healthcare. In a study from Norway, 21 % of the respondents from a hospital setting reported to often half of the times or more document their work in the name of another person (21). In an article by Åhfeldt et al, based on field observations of Swedish HCPs computer use, it is suggested that users are not taking responsability for their use of authentication and that: It seems obvoius that some users do not really understand why the log-on procedures and authority control systems exists (22). A Delphi study from the UK by Deursen et al, with participants from the field of IT-security in healthcare, identified the most probable scenarios for information security breaches; here sharing of passwords or other access tokens was considered one of the most likely incident types (23). Healthcare is often considered to be an area where it is difficult to implement computer systems. For different reasons it seems that systems that can be successfully implemented in other business areas are not suited for this particular environment; and that specific strategies already in the development phase are needed to successfully implement them in this environment (15). One being the active participation of domain users in the development and implementation of systems (18). It has also been concluded that security is as much about human processes as it is about technology (7) and that the incentives for the users will dictate how they interact with access control and thus the effectiveness of the solution (24). In the light of this it is necessary to look further into if and how the previously mentioned indications of misuse of authentication mechanisms are related to the user s workflows and also their opinions about authentication methods used today. The attitudes and opinions of HCP regarding authentication methods should be an indication of implementational success since it is something that they deal with many times a day and since many of the HCPs are likely to have opinions about the way technology puts demands on their work process (15). 16

17 It also seems reasonable that technical implementations that are disruptive (which authentication methods inevitebly are) should be studied in the light of their impact on the people working with them (14) Aim of the thesis The aim of this thesis was to find out if current implementations of authentication methods in acute healthcare are effective, or if the professionals working in the domain experience any systematical problems that need to be addressed in the design and implementation of future systems Objectives of the thesis The objectives of the thesis were to describe: how authentication methods are used in acute healthcare, what problems the participants experience with authentication methods, and to describe the healthcare professional s opinions about these topics Research questions RQ1: Are HCPs in the acute healthcare setting using authentication methods as they are intended to be used? RQ2: Which are the main problems that the HCPs experience with current authentication methods? RQ3: What concerns do HCPs have about the problems they experience with authentication methods? 17

18 2. Method 2.1. Study design This study was designed to be descriptive and analytic. This approach was taken in order to investigate to which degree acute healthcare professionals experience the problems that were indicated in previous studies, if there were other problems present, and finally to see what dangers they could see with these problems. Socio-technical evaluations are often diverse in their designs utilizing both qualitative and quantitative methods in order to better investigate and analyze the interactions of systems and humans (14). During the planning phase it was decided that this thesis would be based on two phases of data collection. The first being a small structured interview with the main purpose of exploring the environment in regard to which IT systems are used and what methods of authentication they use. The second being an online survey in the form of a questionnaire with the purpose of collecting as many opinions of authentication methods as possible. The design of the survey was based on an informal workshop with four information security experts. The choice of using a questionnaire for data collection, was due to the benefit of being able to collect information from as many participants as possible. Adding further weight to this motive is also the fact that questionnaires are considered appropriate for quantitative studies of subjective aspects (25). There was also the notion that most previous studies on the topic have been conducted as observations or qualitative interviews; therefore it was decided that in order to make progress, the best approach would be to make a quantitative survey. According to a review of Information Security research from 2014, the most popular method behind reports in the field has been Subjective-Argumentative research (26). Since the specific subject of this thesis had not been deeply researched before, a strictly quantitative approach would have been difficult to put into context for analysis. In order to compensate for this a few free text questions were included in the questionnaire. The answers to these questions were analyzed both qualitatively using content analysis and quantitatively using word frequency analysis. The choice of a web survey was further motivated by its ability to keep a distance between the researcher and the participants. We wanted to grant them as much anonymity as possible, since questions about behavior regarding security practices could be seen as sensitive and maybe even perceived as blaming. Underreporting of misbehavior is a problem for surveys in general and needs to be specifically 18

19 addressed when researching a topic like this (27). A web based questionnaire ought to be among the best ways to make participants disclose their true opinions in a survey (28). Even though the anonymity of doing things behind the computer screen can (and should in the case of IT-security related work) be argued, it seems that many people today experience a sense of anonymity when expressing themselves on a computer over the Internet (28). In order to gain and maintain the trust of the participants, a few measures were taken when configuring the collection system and designing the survey. The collection system was configured to not register the IP addresses of the computers that the participants used to register their answers. The survey was also designed to not collect information with which the participants could be identified. Information about these privacy measures were given to the managers and to the participants in the letters used when asking for their participation and in the beginning of the questionnaire. The letters can be seen as Appendix A, B and C Structured interviews In order to build a basic understanding of the topic to be studied, structured interviews were performed. Four open ended questions were distributed to three physician from three different disciplines and three different geographic locations in Sweden. One participant was interviewed in person and two participants answered the questions by replying to an they had received. In some cases follow up questions were asked in order to clarify their responses. The method of participant selection used in this step was purposive convenience sampling, all three physicians were previously known by the author and represented different areas of healthcare. This approach was considered appropriate since the purpose of these interviews was not to gather statistical information, but simply to provide information on how authentication is used in healthcare. The choice of method (conducting structured interviews via ) was also primarily one of convenience; both for the author who did not have to transcribe recorded interviews, and for the participants who were able to answer the questions at their own convenience. However, there were also other benefits of this method compared to for example face-to-face interviews or phone interviews. interviews seems to make the respondents more focused on the questions at hand, they are also more likely to disclose the truth in sensitive matters, and they are more likely to think about their answers on a deeper level before submitting them (28). There are, of course, also negative effects of choosing interviews. For example, it puts a greater demand on the participants ability to express themselves 19

20 in written form, and it makes direct probing of questions impossible (28). Both these problems were handled by follow up questions in form for the two participants that answered the questions in this way. The main purpose of the interviews was to find out what IT systems the participants used and which methods of authentication they used in order to login to these systems. The interviews also included questions about any problems that the participants experienced with authentication methods and also their self-evaluated knowledge about routines regarding authentication information in their workplace. The results of these interviews were used both as discussion material for a workshop held with four information security experts from MSB and as material when constructing questions for the web survey. Table 4 displays the systems and corresponding authentication methods that the participants of the structured interviews used. Each participant reported to use between seven and eight different systems and used between two and seven different credentials for authentication in these systems. Table 4. Compilation of systems and the corresponding authentication methods used by the participants in the structured interview. Participant Discipline Systems* Authentication methods 1 Acute health care / cardiology Hospital network EMR system X-Ray system Intranet SITHS-card + PIN(1**) HSAID + password(2) Shared account + password(3) HSAID + password(4) HSAID + password(5) No log in EKG system Shared account + password (6) Regular prescription system SITHS-card + PIN(7) HSAID + password(4) Special prescriptions system SITHS-card + PIN(1) 2 Psychiatry Hospital network Personal username + password(1) EMR Personal username + password(1) Medical certificate system (Sjukintygssystem) SITHS-card + PIN(2) 20

21 Lab and X-ray ordering system Prescriptions system Intranet Integrated to EMR SITHS-card + PIN(3) No log in Time report system EMR for primary care Personal username + password(1) Personal username + password(1) Booking system Personal username + password(1) 3 Anesthesiology Network Shared username + password Personal username + password(1) Siths card + password(2) EMR system Siths card + password(2) Personal username + password(3) Operation planning system Siths card + password(2) Personal username + password(3) X-ray system Access through EMR Quality registry Access through EMR system Clinical decision Access through EMR support system Administrative system Personal username + password(3) E-prescription system SITHS card + password(2) *The terms used for the type of system is the participants own. **The number indicates for which of the systems the passwords or PINs are the same Questionnaire The tool chosen for designing the online survey was Survey Monkey ( which is a cloud service for designing questionnaires and collecting and analyzing survey data. The reason for this choice was that the collaboration partner at MSB (the Swedish Civil Contingencies Agency) had experience in the configuration and use of it. Before construction of the questionnaire began, a workshop was held with information security experts from MSB. The purpose of this meeting was to find the best way of approaching question design, using the results of the structured interviews as a foundation, and to collect best practice suggestions on how to collect data on a sensitive subject. 21

22 The questionnaire was designed to be mostly quantitative using multiple choice questions, but a few questions with free text answers were created in order enable deeper exploration of the participants opinions and their possible diversity (29). Socio-technical studies are meant to focus on processes (14), therefore the questions in the questionnaire were designed to be on the topic of the participants opinions regarding how authentication interacts with their work flows and possible problems that they may experience. The questionnaire was designed to start with questions that would put the participant in the mindset of thinking about authentication by asking about the specific methods he or she used in the work place and if there were any problems present with these methods. After this, the questionnaire took the participant into questions about policies and rules governing the authentication information. Next, the main part of the questionnaire dealt with questions about what was hypothesized as the potentially biggest problem in a collaborative environment, the usage of colleague s accounts and sharing of credentials. The questionnaire ended with four demography questions that were included with the purpose of dividing the participants into groups for analysis and in order to control the representation of different categories in the sample group. The groupings chosen were: occupation, age, computer literacy and geographic location. After the design of questions was completed, a few measures were taken in order to validate the questionnaire. The questions were discussed on multiple occasions with both supervisors of the thesis in regard to content, wording and order. Before the invitation to the survey was distributed, a pilot group of three health care professionals were asked to fill out the questionnaire and comment on the wording of questions and any ambiguities they could notice. A more scientific approach to validation did not seem necessary (25) or possible within the scope of this project. The questions of the final questionnaire can be seen in translated form in Appendix E together with a summary of the answers. The questionnaire was distributed to the participants in Swedish Participants Participants were recruited by approaching acute healthcare managers in 50 hospitals in Sweden (10 in northern Sweden, 18 in middle Sweden and 22 in southern Sweden). An with information about the study, a link to the questionnaire and a kind request for their approval and help to distribute the link to at least three but preferably as many as possible of their employees was sent to the 22

23 managers of the acute clinics at all hospitals included. All communication with the managers and the participants was done in the name of MSB. The managers were asked to distribute the survey to physicians, nurses and assistant nurses. This since these were considered the interesting occupations for this study, given that their jobs are of the collaborative kind while other professions that may be present in the acute clinics are likely more administratively focused. The first invitation resulted in 18 positive answers from managers who wanted to participate and agreed to send the link to their employees. Two weeks after the initial invitation was distributed a reminder (Appendix C) was sent to all the managers that had not yet responded. Two weeks after the reminder was sent the survey was closed for participation. At this time we had responses from 19 managers and a total of 89 participants. As can be expected there, was a certain decline in the number of people who answered the questions from the start to the end. Eighty-two participants answered the last question Population The population that the results of this survey intended to describe were employees in acute healthcare in Sweden in the occupations physicians, nurses and assistant nurses. At the time of this project there was no database with information about this group. In order to estimate the population size we reached out to both The National Board of Health and Welfare and the Swedish Association of Local Authorities and Regions but neither of these associations had any statistics regarding the size of the population. The best option was to try and estimate the population size according to the following calculation. The Swedish Medical Association (SMA) has members, out of which are working (the rest are students or retirees). According to the National Board of Health and Welfare, there were in 2012 close to physicians active in Sweden. This led us to assume that three out of fours physicians are members of the SMA. The Swedish Society for Emergency Medicine, one of the sub-divisions of SMA has 250 members. If we assume that the distribution of physicians being members of the SMA is the same for all specialties, then there should be about 330 active physicians in acute healthcare. Also according to the National Board of Health and Welfare there are two specialist nurses for every specialist physician, so we assume that there are 660 nurses active in acute healthcare. According to the Swedish Association of Local Authorities and Regions there are five assistant nurses on every seven nurses, so we then assume that there are 470 assistant nurses. These 23

24 assumptions gave us an estimated population of around 1500 healthcare professionals working in acute healthcare in Sweden. This calculation can be questioned in many ways, particularly since physicians are not usually employed at the acute clinics but in other clinics under other specialties and then assigned to work part time in the acute clinic. The specialty of acute physician is rather new in Sweden and they only account for a part of the physician s active at the acute clinics (30). With this in mind, the number 1500 can be seen as a rough estimation made in order to relate the size of the sample to the population Data analysis The answers from the structured interviews were compiled and presented using the participants own descriptions of the type of systems they used, and which types of authentication methods were used by these systems. The answers to the questions about if they were content with the authentication methods they use and if they could account for the rules governing these were only used to see if there was any indication of problems regarding authentication methods and the policies regarding these. The answers to the online survey were analyzed in a few different ways. First, all answers to questions with predefined answers were compiled as a group with all participants. Secondly, they were compiled in groups separated by the three demographic questions (age, occupation and computer literacy). The results from this division was used in order to identify differences between the groups. The answers to the open-ended questions were analyzed using word frequency analysis with a feature built into the survey system Survey Monkey. One must be careful when drawing conclusions from word frequency analysis, since the words occurring the most may not always reflect the concepts of most concern in the material at hand (31). Also, things like synonyms and the fact that some words may bear multiple meanings must be considered. Due to these limitations, the word frequency analysis was used in combination with another method of content analysis as described by Zhang and Wildenmuth (32). The steps taken in the content analysis were: To define the unit of analysis to be themes. In the article (32) this is described as a single word, a phrase, a sentence, a paragraph or an entire document that has the common property of expressing a delimited idea 24

25 To develop categories and a coding scheme. The categories were developed in an inductive manner from the collected data during the coding and added to a table as they were identified. Since the author of the thesis performed all the coding no coding manual was developed Coding of the text. Coding of all the answers was performed on two different occasions in order to assess the coding consistency Since the sampling of participants was not random, any statistical tests that were applied could not formally be used to generalize the results to the population. Fisher s Exact Test for Count Data (33) was however applied to a few of the questions, where seemingly interesting differences were seen between the groups, with the purpose of summarizing more promising lines of future research Ethical considerations The collection system Survey Monkey is provided by an American company and the results are stored on their servers. It was important that no personal information was collected both due to ethical standards and to regulations governing the work of MSB. It was also important to preserve the respondent s privacy since we asked for possibly sensitive information regarding their work practices. The data collection was therefore set up to be anonymous and no personally identifiable information was collected or disclosed in the report. There was also no information shared regarding the users in a specific location with the managers at that location. The survey system was set up in order to not register IP addresses of the respondents. Since the survey was distributed to the participants via their managers, we made sure to inform the participants in the letter accompanying the survey that participation was not mandatory. 25

26 3. Results Included in this section of the thesis are the most important results. For a complete summary of all answers to the multiple choice questions and the results of the word frequency and content analysis see Appendix E Description of the participants The last four questions of the questionnaire were demographic questions; these were included in order to enable evaluation of the representativeness of the sample since we could not use a random one. The participants were asked how old they were, in what part of Sweden they were primarily employed, what their profession was, and asked to rate their computer literacy. Three other questions in the survey were also included with the purpose of describing the participants rather than to answer the research questions. These concerned what authentication methods the participants used and whether or not they had been given information about rules regarding login information and if they could account for these rules. Regarding the age distribution of the participants two percent where 25 years old or younger, 62% were between 25 and 45 years of age and 35% were above 45 years of age. The geographic distribution of the participants was uneven with 10% of participants saying that they primarily worked in the northern part of Sweden, 24% that they worked in middle Sweden and 66% that they worked in southern Sweden. There were also no physicians from northern Sweden represented in the sample. The distribution that could be expected from the number of hospitals approached in the different parts of Sweden was 20% in the northern part, 36% in middle Sweden and 44% in the southern part. The survey was intended for three different professions within acute healthcare; physicians, nurses and assistant nurses. Twenty-four percent of the participants were physicians, 55% were nurses and 11% were assistant nurses. Ten percent of the participants answered that they had other occupations. The other occupations mentioned were IT-manager and nurse, manager, unit manager, coordinator etc. No participants were excluded since they had been judged by the managers to be of the targeted professions and could be assumed to be based in the targeted professions even though they may at the time of the study have had a different title. 26

27 The participants were also asked to grade their level of computer literacy according to four different statements of computer skill. Six percent of the participants answered that they only used computers at work and never in their spare time, 50% answered that they used computers at work and that they also used e-services for personal use, 27% answered that they were able to install software on a computer that they owned and 17% answered that they had an interest for IT and that they were able to configure more advanced software. As described in the background different methods for authentication are used within healthcare. The participants were asked which methods they use in their workplace. Eighty-two percent said they use username and password, 23% that they use HSAID (which is an ID number given to all the employees of certain county councils in Sweden) and password, and 78% that they use a specific kind of smart card (SITHS-card) issued to HCPs in municipalities and county councils in Sweden. The questionnaire contained two questions about the participant s knowledge about policies governing the use of authentication, the results can be seen in Figure 1 and Figure 2. First, they were asked if they had been informed about any rules regarding how they are supposed to handle their credentials. Have you at any time been given information about rules governing the use of login information? 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 71% 21% 8% Yes No I don not know Figure 1. Amount of participants that had been informed about rules for credential management (n=86) In order to follow up on the question about rules the participants who said that they had been informed were asked if they would be able account for the rules that they had been informed about. 27

28 If a new colleague would ask you about the rules, would you be able to account for them? 60% 54% 50% 40% 30% 20% 16% 23% 10% 0% Yes, completely Yes, mostly Yes, to some extent No 7% Figure 2. Amount of participants that could account for credential management rules (n=61) 3.2. The research questions The remainder of the questions included in the questionnaire were designed to collect information that could be used to answer the three research questions posed in the beginning of the thesis. Below, each research question has its own subheading where the results relevant for that particular question are presented Are acute healthcare professionals using authentication methods as they are intended to be used? Six of the questions in the survey were designed to answer the first research question and the results were as follows. One of the most important aspects of information security practice relating to authentication is that you do not share your password with others. The participants were asked how many of their colleagues that may have known their workplace login information, and how many of their colleagues login information they knew. Ninety-one percent (n=84) answered that none of their colleagues may know their credentials; and 88% (n=84) answered that they did not know anyone else s information. Another important aspect of authentication is that you do not let anyone else use your account to perform work in a system. The participants were therefore asked how often they faced a need to use someone else s account in order to read information in an EMR system. 28

29 A total of 58% of the participants (n=85) answered that they sometimes need to view information in a medical record system using someone else s account. Figure 3 displays the distribution in regards to how often the participants faced this need. How often is it necessary for you to read information in an EMR using someone else's account? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 41% 21% 14% 16% 7% On daily basis On weekly basis On monthly basis Less often Never Figure 3. The frequency of participants need to read information using someone else s account (n=85) An observation in the results was that physicians seemed a lot more likely to often face this need than nurses and assistant nurses. Figure 4 shows the distribution in regard to the different professions. 50% 40% 30% 20% 10% 0% 25% How often is it necessary for you to read information in an EMR using someone else's account? 30% 13% 11% 11% Daily 22% Sometime every week 15% 2% 11% Sometime every month 5% 28% 22% Less often 25% 46% Never 33% Physician Nurse Assitant Nurse Figure 4. The frequency of participants need to read information using someone else s account divided into groups of occupation (n=85) 29

30 Fisher's Exact Test for Count Data showed a significant association between the professional role and using accounts of colleagues for reading patient information (p<0,01). Physicians were more inclined than nurses to use the accounts of others. Since the sample of assistant nurses was small they were excluded from this test. The groups tested can be seen in Table 5. Table 5. The table used for the Fisher's Exact Test for how often physicians need to read information using someone else's account compared to nurses (n=74) At least monthly Less frequently or never Physician 14 6 Nurse The participants were also asked how often someone else used their accounts to read information in an EMR-system. A total of 67 % participants (n=82) answered that a colleague of theirs sometimes used their account to view information, and another 10% did not know how often this happens. So depending on how we interpret the I do not know answers, we may have up to 77% of the participants being subject to someone else using their accounts to read information. Figure 5 displays how often the participants were subject to this practice by their colleagues. How often does a colleague of yours use your account to read information in an EMR? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 13% On daily basis 21% On weekly basis 13% On monthly basis 20% 23% 10% Less often Never I do not know Figure 5. Participants estimate of their colleagues need to read information using their accounts (n=82) 30

31 Reading information in a system and having the action logged in the name of another user is a concern when the system for access control is based on review of logs; especially when an important part of the information security philosophy is confidentiality. Something that makes things even more complicated is if you write information in a system using someone else s account; this breaks the traceability of information entered into the system. However, the practice of writing information with someone else s account was less common. Twenty-eight percent of the participants (n=85) answered that they sometimes need to input information in a medical record system using someone else s credentials. Figure 6 shows the distribution of how often the participants needed to make notes in an EMR-system using a colleague s account. How often is it necessary for you to make notes in an EMR using someone else's account? 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 0% 5% 1% On daily basis On weekly basis On monthly basis 22% Less often 72% Never Figure 6. The frequency of participants need to make notes using someone else s account (n=85) Thirty-one percent of the participants (n=84) answered that a colleague of theirs sometimes use their account to input information. However, another 11% of the participants reported that they did not know how often colleagues used their login to enter information. The percentage of participants whose accounts are sometimes used by someone else for writing information could thus possibly be as high as 42%. The complete distribution of the participants can be seen in Figure 7. 31

32 How often does a colleague of yours use your account to make notes in an EMR? 70% 60% 58% 50% 40% 30% 20% 10% 0% 0% On daily basis 6% On weekly basis 4% On monthly basis 21% 11% Less often Never I do not know Figure 7. Participants estimate of colleagues need to make notes using their accounts (n=84) Which are the main problems that the healthcare professionals experience with current authentication methods? In order to investigate the second research question, the participants were first asked if they experienced any problems with the authentication methods they used. Fiftyeight percent of the participants (n=89) answered that they did experience problems and 42% that they did not. An observation from the results regarding this question, was that the number of participants who reported that they experienced problems seemed to raise steadily with each increasing step of self -reported computer skill, this can be seen in Figure 8. 32

33 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Do you experience any problems with the methods you use for logging in? 0% 100% 49% 51% I use IT (computers) at I use IT at work, but also work but never at home for personal use. I then use computers, smart phones or tables in order to use e-services on line. 62% 38% I use IT at work, but also for personal use. I use e- services but can also install software on my own computer. 79% 21% I have an interest for IT and can manage an operating system and configure advanced software. Yes No Figure 8. Amount of participants who experience problems with authentication methods divided into groups of IT-skills (n=89) Fisher's Exact Test for Count Data showed a significant association (p<0,05) between the level of computer skill and the experience of problems when the participants were divided into two groups, poor computer skills and good computer skills. The groups tested can be seen in Table 6. Table 6. The table used for the Fisher's Exact Test for experience of problems and level of computer skills (n=89) I use IT (computers) at work but never at home & I use IT at work, but also for personal use. I then use computers, smart phones or tables in order to use e-services on line. I use IT at work, but also for personal use. I use e- services but can also install software on my own computer & I have an interest for IT and can manage an operating system and configure advanced software. Experienced problems Did not experience problems

34 In order to understand what specific problems the employees of acute healthcare may face, when it comes to authentication, everyone who answered that they did experience problems were asked to state what problems they had experienced. The word frequency analysis of these free text answers revealed that many of the participants mentioned cards, passwords and time in their answers. Looking further into this question, the content analysis generated 10 categories of problems. These categories are shown in Table 7. Table 7. Categories of problems participants experienced with authentication methods (n=49) Category Number of answers coded with the category Logging in takes too much time 21 There are too many different credentials to keep track of 14 I forget to take my card out of the computer 9 It is problematic that the card has multiple functions (log in to computer, open doors, use printer etc.) There is no automatic log off feature 6 There are technical problems with the card readers 6 The passwords expire to often 3 Passwords are easily forgotten 2 The password policy makes me write the password down The password policy makes me chose weak passwords Many of the participants experienced that logging in, especially when using smart cards, took too much time and that it was a problem that the cards were also used for other things than logging in (opening doors, using the printer etc.). Below are some citations that illustrate these problems further: When you use the smart card there is a great risk that you forget it in the computer. And I always leave it in the computer for the duration of my shift so during long periods my login is open and unprotected. It is impossible to work if you are to log in and out all the time easy to forget to log out, which leads to writing using others logins It s cumbersome with the smart cards that have to be in the computer. You get logged out if you need the card to use the printer 34

35 It s a hassle with different logins and many different logins to different systems. A hassle with using the same card for login to the EMR as for opening doors. This leads to a great risk of leaving the card behind and not being able to open a door in an acute situation. The smart card login does not always work, cumbersome and dangerous in acute situations Two of the answers contained direct suggestions for how the authentication methods could be improved. These two are cited below. It takes time to open the computer with the smartcard, logging out when you pull the card, forgetting the card in the computer, even though it is in the ER my data is available. I would like it if the card was wireless and gave access when I am within 10 cm from it When I use different computers it would have been more convenient to launch the system where I left of at the previous computer. Now username and passwords and additional software (Labmodule) needs to be selected before overview and the correct patient can be chosen. The participants were also asked about the main reasons why they need to read, and the main reasons why they need to write information in an EMR using someone else s credentials. The word frequency analysis of reasons for reading using someone else s account revealed that someone else being logged in was a common reason, time was another one (as in it takes to much) and the acuteness of the situation was a third. The content analysis confirmed this and added some more nuance, as shown in Table 8. Table 8 Categories of reasons why participants need to read information using someone else s login (n=45) Category Number of answers coded with the category The computer is already logged in with another account 15 It saves time due to convenience 14 It saves time since the acuteness of the situation demands it I have forgotten/left my card in another computer 8 There is a lack of computers 8 There are technical problems with my login 5 We work as a team and only one person can/needs be logged in A colleague asks for my opinion 3 The password expired

36 Below are some citations from the answers that further illustrates the more common reasons for using others accounts to read information in the EMR: Maybe I am writing a referral or another document that locks my computer. The colleague/nurse wants an advice about a patient and I will then read the info directly from his/hers screen. In that way I avoid the hassle of entering that patients journal, which may not be the most correct way since I do not get the care relation to that patient. Not access to one computer per user and in acute situations one person logs in to the computer and then it is used by everyone in the room Big buildings, I circulate and making rounds with other physicians and have no possibility to log in on my own computer every time. It is physically impossible since there are no extra computers, but even if there was it would not be possible due to the time we have available I need information fast and my card is locked in the computer where I am logged in. I am in another part of the hospital/clinic and since it takes several minutes to log in to a new computer I have not brought my card but have let it stay in another computer to save time Someone is always logged in to a computer. In acute situations it is not ever interesting to log out and then log in using your own credentials but you rather have to get the information you need fast Colleague logged in to the only computer in e.g. triage or ER. All/most in the room need to take different information from the patient record at the same time. I see no danger in a colleague reading the record using my account in this situation There are (almost) not absolute reasons, relative reasons are stress, forgot the card etc. where stress and laziness takes over The responses to the question regarding reasons for writing information using another person s account were too few to make a meaningful analysis of word frequency. The content analysis (Table 9) however revealed some differences compared to the results of the question regarding reading of information. 36

37 Table 9. Categories of reasons why participants need to make notes using someone else s login (n=20) Category Number of answers coded with the category It saves time due to convenience 6 I do it by mistake 5 We work as a team and only one person can/needs be logged in There are technical problems with my login 4 It saves time since the acuteness of the situation demands it 4 2 Below are some citations that illustrate the categories identified. "By mistake when I haven't realized that someone else has logged into a computer that I use" "We are more than one caregiver with the patient and it takes too long to change user" "Has happened when I am in a hurry and do not have time to log in, or that my card is still in my workstation and I am far away from it and do not have time to go and get it" "Technical problems with my own account" What concerns do healthcare professionals have about possible problems due to the way authentication methods are used? In order to investigate the third research question of the thesis the participants were asked if they could see any dangers with their accounts being used by their colleagues. Seventy-seven percent of the participants (n=85) considered it to be a problem if colleagues use their accounts to read information in a medical record system while 23% did not see a problem with this. An observation from these results, were that physicians were a lot less likely than the other professions to consider this a problem, as seen in Figure 9. 37

38 Can you see any dangers with a colleague of yours using your account to read information in an EMR? 100% 80% 87% 78% 60% 50% 50% 40% 20% 13% 22% 0% Physician Nurse Assitant Nurse Yes No Figure 9. Amount of participants who see a danger in letting someone else use their accounts for reading in an EMR divided into groups of profession (n=85) Fisher's Exact Test for Count Data showed a significant association between professional role and the self-assessment of risk (p<0,01). Nurses were more inclined than physicians to state a risk. Here nurses and assistant nurses were grouped together since there answers were similar in their distribution. As a reminder, we do not know whether the sample of physicians and nurses was representative for the population and can thus not generalize this finding. The groups used for the test can be seen in Table 10. Table 10. The table used for Fisher's exact test for differences in the opinions of dangers with having someone else use your account to read information (n=85) Yes No Physicians Nurses/Assistant nurses 47 8 As previously mentioned, there is a difference in the information security issues when it comes to reading information compared to writing information. The participants were therefore again asked the same question but regarding the practice of having someone else make notes in an EMR using their accounts. This time, 91% of the participants (n=85) considered it to be a problem if colleagues used their accounts to enter information into a medical record system, while nine percent did not see any problems. 38

39 Again, the physicians seemed less likely to see a problem with this, as can be seen in Figure 10. However, this time the Fishers Exact Test did not reveal a significant difference between the groups of physicians and nurses/assistant nurses. 100% 80% Can you see any dangers with a colleague using your account to make notes in an EMR? 80% 93% 89% 60% 40% 20% 20% 7% 11% 0% Physician Nurse Assitant Nurse Yes No Figure 10. Amount of participants who see a danger in letting someone else use their accounts for making notes in an EMR divided into groups of profession (n=85) In order to understand what problems employees of acute healthcare see when it comes to having their accounts used by someone else the participants were asked to state the dangers that they could see with colleagues using their accounts to read information in an EMR system. The word frequency analysis of the answers regarding this suggested that Logged, Patient and Confidentiality were words that could lead us to an understanding of the problems here. The content analysis of these free text answers generated 12 problem categories that made the picture clearer that can be seen in Table

40 Table 11. Categories of the dangers participants see with colleagues using the their accounts to read information (n=62) Category Number of answers coded with the category I may get in trouble after a log review 30 There are confidentiality problems 26 Someone may use a computer for something that is not allowed Someone may forget that the login is borrowed and take action or document in my name I may get into legal problems 5 I am responsible for what is done 5 I have no control for what is done in my name 2 Traceability is broken 2 Patient safety is at risk 2 Mistakes that are made are logged on me 1 Prescriptions may be done in my name 1 Patients may get hold of my name in the logs Below are some citations that illustrate these categories further: It is not transparent e.g. one does not know when someone has read something since you have left the smart card in the computer. Sometimes I see patients in the list of previously opened records that I know I have not entered. Further the system does not server the work flow but the work flow shall adapt to the system. It makes it impossible for the ones that are to review my access to records (which is extremely important in order for us to preserve our legitimacy as a profession) to understand what was done and what was not. The review becomes impossible and I risk the consequence of being prosecuted for data breach when that is not the case. If I am in the room and can see what he or she reads it is acceptable, it is not if I forgot my card and am not present Confidentiality. Must not happen. That s it! A word that was often used in the answers regarding dangers of someone else writing information using their accounts, and that point towards what was seen a problematic here was Responsible. The content analysis generated six categories of problems that added more information to this, as can be seen in Table

41 Table 12. Categories of the dangers participants see with colleagues using the their accounts to make notes in an EMR (n=70) Category I may become responsible for things (ordinations, treatments etc.) that I have not performed Number of answers coded with the category Traceability is lost 11 Confidentiality problem 10 Things written in my journal that I cannot stand for quality or content wise Information may be wrong and I cannot correct it since I do not know Patient safety is at risk Below are some citations that further illustrates these categories: That I who have nothing to do with a patient, will read what is written. That would be breaking confidentiality in a way I believe People may get access to records that they should not in my name, they write in my name and even if we can in theory go back afterwards with our own login and sign notes that someone else has done. I don t think that this happens If treatment is wrong my name will be responsible Can be in my name. No idea how it is searched etc. When we use each other s login its usually very acute or when I watch over someone s shoulder. As far as I know this is extremely rare and rather a mistake. It complicates communication in the practice of care since you will misunderstand who met the patient. Furthermore it is juridically complicated if it was to become a court case. I will be responsible for actions/notes that I have not performed with a patient that I have no care relation to. If questions etc. arise I will not be able to answer what I meant with a note/action which affects patient safety/confidentiality and maybe the patients feeling of integrity Summary of results As can be seen from the results presented here, there are problems with how authentication methods are used in acute healthcare. The healthcare professionals are in many cases not authenticating to medical record systems as they should, 41

42 many of them experience problems with the methods they use, and they have concerns about the way they use authentication methods. 42

43 4. Discussion 4.1. The research questions The survey produced results that were in many ways relevant for the research questions. Under the following sub-sections each of the three research questions will be discussed separately Are HCPs in acute healthcare using authentication methods as they are intended to be used? The practice of sharing credentials seemed quite rare among the participants with 91 % saying that they did not know anyone else's credentials and 88 % saying that no one else should have known theirs. This can be put into some kind of context by the observations of Koppel et al. (34) where password sharing seemed to be the norm and sticky notes with passwords were found in most clinics they visited. However, it should be noted that the credentials of about every tenth participant in the sample was known by someone who was not the owner and person responsible for what could be done using that credential. In retrospect, maybe an additional question should have been asked here how often do you share your credentials?. This could have been useful since the questions asked in the questionnaire were dependent on the participants memory and estimation of their colleagues abilities to remember passwords. However, it can be inferred from the answers to these questions in combination with how common the practice of using someone else's login was that accounts were probably often shared by users not signing out or by users handing over access to a computer where they were already logged in, and not by users giving away their credentials. Comments validating this claim were commonly submitted in the free text answers. The amount of participants who reported that they sometimes need to read information using someone else's account or that someone else needs to do this using their accounts was very high (58 % respectively 67 %). The observation of a difference in this need, between physicians and the other professions, can probably be explained by differences in work flows. Physicians are more likely to be called in for a consultation or quick procedure, while the nurses are often more statically assigned to the patient. The practice of using someone else's account to enter information in an EMR system was less common than that of using it for reading, which seems reasonable. However, it is still very high, especially considering that traceability is 43

44 explicitly mentioned in the Patient Data Act. Twenty-eight percent of participants said that they are sometimes entering information using someone else's account and between 30 % and 42 % (depending on how we interpret the response "I do not know") said that others are sometimes using their accounts to enter information. All in all, it seems that the indications from previous studies (21-23), that there are problems with the way that authentication is handled by HCP in their daily work, are validated by this study. HCPs share passwords to some extent, and they use each other s accounts both to read and enter information into computer systems. The effectiveness of authentication in acute healthcare seems rather poor. Many times the person performing an action in an IT-system is not the person who authenticated to the system. This raises the question if the log review that health care providers are by law obligated to perform is really accomplishing what it intends to. One can also wonder if the individualistic approach to access control is really suitable to the work flows of acute health care Which are the main problems that the HCPs experience with current authentication methods? The amount of participants who said they experienced problems with the authentication methods they used in their work place was 58 %. An observation in the results regarding experience of problems with authentication methods was that the number of participants who reported that they experienced problems with authentication methods was increasing with every step of self-reported computer skills. This was probably due to both increased usage, and to increased awareness in the groups where experienced problem were more common. One could therefore argue that the actual problems with authentication methods may be greater than what the 42 % who reported that they did not experience any problems may lead us to believe. Some of the problems the participants experienced were rather expected. The top category identified in the content analysis was that logging in took too much time, and the second most occurring was that there were too many credentials to keep track of. A more surprising and interesting problem, that points towards an unwelcome side effect of the implementation of smart cards, was that some participants experience a problem in that the cards are used for many different purposes. That it was not 44

45 possible for them to comply with the practice of always taking the card out of the computer when they leave it. Another unexpected finding was that there were plenty of participants that reported that there was a lack of an automatic logoff procedure. This seems like something that should be implemented as a standard security measure. A lot of different reasons with the common goal of saving time were common explanations for the need to use colleagues accounts to read information. The amount of comments that explicitly mentioned the acuteness of the situation as a reason was about equally common to comments that expressed the reason in more general terms of saving time. This could be a matter of the participants expressing themselves in different ways, but it may be important to think about the possibility that habituation may take place. If you consider something to be acceptable under certain circumstances, you may later on find that you consider the same thing to be acceptable under totally different circumstances. In the comments regarding writing information using someone else s account it was also common to mention saving time as a reason. It was however also common to say that it happened by mistake, or that working as a team made it necessary or reasonable to use just one account. Other comments that should be noted are the ones mentioning lack of computers and technical problems as reasons for using others accounts. When it comes to these two types of comments one cannot do much else than conclude that finding a workaround by asking to use someone else s account seems like the only way to go for someone who needs to get work done. It should be mentioned in this context that according to the report E-hälsa i landstingen from 2014 by the SLIT-group, the rate of computers in healthcare is about one user per computer (35). So the lack of access to computers reported may be an indication to that resource allocation or office space planning needs to be looked into What concerns do HCPs have about possible problems due to the way authentication methods are used? When it came to having someone else use your account, it is interesting to note that physicians were less likely than nurses to consider this a danger. This is probably because physicians are higher in the hierarchy and have more permissions (since they have the full medical responsibility of the patient). Another possible reason is that a physician can more easily explain why she had a reason to read something in case of a review. It is, after all, part of their work to be consulted by co-workers; but for a nurse to explain why he has been reading a 45

46 surgical note in the medical record of a patient that he did not care for may be more difficult. Something else that should be noted, is that 23% of the participants did not consider letting someone else use their accounts for reading a danger. It may be that the most common situation for letting someone use your account is when you are asked to let them and then remain present for the time that they use it. If this is not the case there is definitely a need for general security awareness training. It was more common to consider it a danger if someone else was using your credentials for entering information, however, nine percent of the participants did not see a danger with this. Again, it seemed more common for physicians to have the opinion that this was not a danger. It is also interesting to note how this question was interpreted, since the response that you may become responsible for something you have or have not done was a lot more common than that patient safety and lost traceability was at risk. Regarding the theories presented in chapter 1.4, it seems that neither the deterrence theory nor the theory of planned behavior are very good predictors for compliance in this case. The participants acknowledge the principles behind the theories in their answers, but their behavior seems, in many cases, to be unaffected. The suggestion that emotional and moral factors are important (10) may be correct. However not for predicting compliance, but rather the opposite, by providing justification that it is acceptable to put patient safety before good information security practice The results in comparison to previous studies There were both similarities and differences in the results of this survey compared to the studies mentioned in the background. For example, the practice of documenting work using someone else s account was a lot less common in this survey than it was in the study by Faxvaag et al. (21). They found that 21 % documented using someone else s account half of the time or more, while only six percent of the participants in this study did this once a month of more often. The Faxvaag et al. study is four years old and a lot has probably happened in these four years when it comes to education and information about the laws governing patient data and the log reviews conducted to maintain this law. Also, the situation may be different between Norway and Sweden. 46

47 Compared to the observations of Åhlfeldt and Ask (22), this survey shows both similarities and differences. Just as can be seen in the results of the survey they observed that users complained about the time the login procedure takes, and that user left their computers unguarded while being logged in, and that they let colleagues use computers that they were logged into. However, their conclusion was that users do not understand why logon procedures and authority control systems exist, while my results show that the HCPs are rather well aware of the problems but that they find it impossible to use authentication as intended due to the work that they need to perform. Cazer and Dawn also concluded that healthcare users were not very security savvy, and that they were unaware of what ramifications a password breach would have (36). Their proposed solution was the implementation of stricter password policies and more security awareness training. However, neither of these seems to be proper solutions in the light of my survey, since the users here did show rather good knowledge about the problems but still used their credentials in ways that are less than optimal and in ways that a password policy will not affect The method There are several aspects to discuss regarding the methods used for data collection in this thesis. One being the selection of participants. It was realized early on that in order to get truthful answers (or even answers at all) the survey had to be distributed in the right way. After all, the survey dealt with questions that could be perceived as sensitive by the participants. We asked them about their behaviors in information security practices; practices that are governed by policies, and practices that could be seen as violations to workplace rules if they are not adhered to. In discussions between the author and the supervisors and the group of experts from MSB it was decided that the right way was to establish contact with managers of acute clinics, and ask them to reach out to their employees. The basis for this decision was the experience from previous surveys conducted by the experts. This approach did of course come with some negative side effects. The managers can possibly have selected the employees that they believed were most interested in the survey. There were a few indications of this in the answers we got from the managers, as shown in the quotes below. This could be worth participating in, it seems to be no big work load. Grateful if you forward this to suitable co-workers and with deadline in a week I will send this forward to suitable employees and hope that they participate!! 47

48 Another possible source of bias is which managers that decided that their employees should participate. It is possible managers who saw information security as important were more inclined to forward the survey to their employees. Even though the method of selection was not perfect, it was decided that it was the best possible one for the project. The ideal situation would of course be to have a randomized sample; but there was no database were we could find all the people who work at acute clinics; and the secretaries of the hospitals could not provide us with this information. Even if there had there been a database where we could get contact information for employees in acute healthcare, it may still not have been the ideal way to reach the participants. The sensitive nature of the survey had most likely resulted in a low rate of answers if we had distributed the survey directly to physicians and nurses. This was at least the opinion of the experts during the workshop. When it comes to bias in the actual sample of participants it is possible that the ones who had an interest in the topic or who were just more law abiding were the ones who took the time to answer the survey. Another form of bias that needs to be addressed here is recollection bias. People are likely to underreport their own behavior in surveys when sensitive questions are asked (27), and many of the questions of this survey can definitely be categorized as being sensitive. The sum of these possible biases is that the problems and misbehaviors identified in the results of the survey are likely occurring more often in the population than in the sample, due to underreporting and to non-response bias of the people who can be assumed to misbehave the most. It should at least be safe to assume that the situation in the population is not better than what the results show The participants As can be seen in the first subsection of the results chapter, the participants of the study represent various categories of HCPs in regard to geographic location, age (with the exception of people under 25 years of age), profession and computer literacy. The distribution of participants in regard to computer skills indicate that the aforementioned possible selection bias towards HCPs with an interest in the topic of the survey may not be an actuality. Most of the participants said that they use IT at work and for online e-services for personal use. 48

49 About 70 % of the participants said that they had been informed about rules regarding how to handle their login information and about 70 % of the ones who had, said that they would be able to account for most of the rules if they were asked. Having 50 % of the participants being well informed about the policy could suggest that the sample is representing the population quite well. Information Security Awareness and knowledge about an organizations specific policies are factors connected to compliance with good information security practice (10) Implications of the results Authentication is, as mentioned in the beginning the basis for access control. It is what ties the identity of the actions in an IT-system to an actual person. Without properly used authentication methods we do not have functional access control. We can work all we want on fine tuning access logging, creating dynamic access control rules, and writing strict information security policies, but if the identities of the users are not correctly logged this is not of much use. The patient confidentiality is maintained primarily by the log reviews, and these reviews are based on the assumption that logging is correct and that the person whose account were used to access (or input) information belongs to the person who actually was seated in front of the computer at the time the information was accessed. As can be seen in the results of this study many of the participants use their colleagues accounts to access information in EMRs, and some also to enter information. Thus, it can be questioned if the reviews really are producing what they are intended to. The solution to the problems described here may be as simple as providing the acute health care professionals with more computers or maybe a personal mobile solution to EMR access. Many participants pointed to the time it takes to log in as a problem; a device in their pockets constantly logged in ready to pick up and unlock for access could probably solve most of the issues described here; but may also introduce new ones. The intended design goal is as we remember by now not always the result. Or maybe we need to pose the question if a standardized security method with an individualistic approach to authenticating the users is not the best fit for the environment. In a collaborative environment like the one described in this thesis, users will probably regardless of the solution, authorize and grant each other access to information in ways that cannot be logged by a system. 49

50 4.6. Suggestions for future work on the topic A possibly interesting study building upon the results from this thesis could be to compare answers from different types of healthcare environments or even environments outside of healthcare. This would further clarify if there are significant differences on the demands that workflow puts on authentication methods. A very specific thing that should be looked into is why as many as 23% of the participants do not see a problem with someone else using their accounts to read information, and as many as 9% do not see a problem with having someone write using their account. The problems with authentication in acute healthcare described in this thesis are serious, and finding solutions to the problems is an important future research topic. A technical solution like the one proposed on the previous section, using mobile devices, would likely put new demands on the IT-infrastructure as well as the work flows of the acute health care professionals and thus be material for a lot of research before it could and should be implemented. A solution of collaborative authentication seems to be more of a fundamental information security principle challenge, but still maybe something that could be researched? 50

51 5. Conclusion The results from the survey show that there are problems to be dealt with in how HCPs in acute healthcare use authentication methods. The problems seem to be due to conflicts in the way the work must be done and the way that the authentication methods are disruptive to this. There were positive things in the results, like that it is not very common to share credentials with colleagues. However, there were also alarming things like that they still manage to use each other s accounts for both reading and entering information in EMRs frequently, thus making the access logging more difficult to interpret. With more than half of the participants experiencing problems with the authentication methods it seems that this is something to take seriously and that new solutions must be found, or that the existing ones must be adjusted to fit the environment better. The implementation of smart card solutions may have solved some problems, but also introduced new ones. Such as, users forgetting the cards or leaving them in the computers on purpose to keep them from being used by others. The concerns of the HCPs regarding the problems they experience with authentication methods were primarily about problems that they may face in case of reviews and of patient confidentiality. However, it was surprising to see that many participants did not see any dangers with sharing their accounts. The health informatics community should be able to conclude from this thesis that security mechanisms used in healthcare is a topic worth considering in future research. 51

52 6. References 1. Heckle RR, Lutters WG. Tensions of network security and collaborative work practice: Understanding a single sign-on deployment in a regional hospital. Int J Med Inform. 2011;80(8): SFS:2008:335 Patientdatalagen. Stockholm: Socialdepartementet. 3. SOSFS 2008:14: Socialstyrelsens föreskrifter om informationshantering och journalföring i hälso- och sjukvården. Stockholm: Socialstyrelsen. 4. Bishop M. The Basic Components. In Bishop M. An Overview of Computer Security. Boston: Pearson; p Bishop M. Hybrid Policies. In Bishop M. Introduction to Computer Security. Boston: Pearson; p Röstad L. Access Control in Healthcare Trondheim: Norwegian University of Science and Technology; Ferreira A, CCR, Antunes L, FP, Oliveira-Palhares E, CDW, et al. How to break access control in a controlled manner. CBMS. 2006: Jones E. [Online].; 2009 [cited 2015 February 06. Available from: 9. Bishop M. Authentication. In Bishop M. Introduction to Computer Security. Boston: Pearson; p Sommestad T, Hallberg J, Lundholm K, Bengtsson J. Variables influencing information security policy compliance - A systematic review of quantitative studies. IMCS. 2014;22(1): Bishop M. Security Policies. In Bishop M. Introduction to Computer Security. Boston: Pearson; p D'Arcy J, Herath T. A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur J Inf Syst Nov;20(6): Ajzen I. The Theory of Planned Behavior. Organ Behav Hum Decis Process. 1991;50(2): Cresswell KM, Sheikh A. Undertaking sociotechnical evaluations of Health Information technologies. Inform Prim Care. 2014;21(2): Baxter G, Rooksby J. Health and Social Care. In LSCITS Socio-Technical Systems Engineering Handbook. St Andrews: University of St Andrews; Baker WH, Wallace L. Is Information Security Under Control? Investigating Quality in Information Security Management. IEEE Secur Priv Jan;5(1): Appari A, Johnson ME. Information security and privacy in healthcare: current state of research. IJIEM. 2010;6(4):

53 18. Berg M. Patient care information systems and health care work: a sociotechnical approach. Int J Med Inform. 1999;55(2): Scott PJ, S BJ. STAT-HI: A Socio-Technical Assessment Tool for Health Informatics Implementations. Open Med Inform J. 2010: p Komanduri S, Shay R, Gage Kelley P, Mazurek ML. Of Passwords and People: Measuring the Effect of Password-Composition Policies. CHI Conf Proc. 2010: Faxvaag A, Johansen TS, Heimly V, Melby L, Grimsmo A. Healthcare Professionals' Experiences With EHR-System Access Control Mechanisms. Stud Health Technol Inform. 2011;169: Åhfeldt RM, Ask L. Information Security in Electronic Medical Records: A Case Study with the User in Focus. In Khosrow-Pour M, editor. Innovations Through Information Technology. Hershey, PA: Information Resources Management Association; p Deursen Nv, Buchanan WJ, Duff A. Monitoring information security risks within health care. Comput Secur. 2013;37: Zhao X, Johnson E. Information Governance: Flexibility and Control through Escalation and Incentives. In WEIS; Brender J. Questionnaires. In Brender J. Handbook of Evaluation Methods for Health Informatics. Amsterdam: Elsevier; p Silic M, Back A. Information security Critical review and future directions for Research. IMCS. 2014;22(3): Tourangeau R, Yan T. Sensitive questions in surveys. Psychol. Bull. 2007;133(5): Meho LI. Interviewing in Qualitative Research: A Methodological Discussion. J Am Soc Inf Sci Technol. 2006: p Jansen H. The Logic of Qualitative Survey Research and its Position in the Field of Social Research Methods. Forum Qual Soc Res. 2010;11(2). 30. Lövtrup M. Nu vill alla sjukhus ha akutläkare. Läkartidningen Apr;112: Stemler S. An overview of content analysis. PARE. 2001;17(7): Zhang Y, Wildenmuth BM. Qualitative Analysis of Content. In Wildenmuth BM. APPLICATIONS OF SOCIAL RESEARCH METHODS TO QUESTIONS IN INFORMATION AND LIBRARY SCIENCE. Westport, Conn: Libraries Unlimited; p McDonald JH. Handbook of Biological Statistics Baltimore: Sparky House Publishing; Koppel R, Smith S, Blythe J, Kothari V. Work arounds to computer access in Health Care organizations: You want my password or a dead patient? Stud Health Technol Inform. 2014;208:

54 35. Jerlvall L, Pehrsson T. E-hälsa i landstingen SLIT [Online].; 2014 [cited Available from: Cazier J, Dawn M. How secure is your information system? An investigation into actual healthcare worker password practices. Perspect Health Inf Manag Sep; 8(3). 54

55 7. Appendices 55

56 Appendix A Letter to the participants 56

57 Appendix B Letter to the managers Hej %NAMN%. Jag heter Tom Andersson och arbetar som analytiker på Myndigheten för samhällsskydd och beredskap (MSB). Vi har bland annat till uppgift att stödja organisationer i deras säkerhetsarbete. Under våren 2015 samverkar vi med Karolinska institutet (KI). Vi genomför en studie av inloggningsrutiner för it-system i akutsjukvården. Det sker i form av ett examensarbete på KI. Målet är att belysa vikten av verksamhetsanpassade säkerhetssystem. Det är viktigt för såväl arbetsmiljö som patientsäkerhet. Akutsjukvård är i fokus eftersom verksamheten ställer höga krav på effektiv informationshantering. För ändamålet hoppas vi på din medverkan. I korthet skulle den innebära att du ber några medarbetare, förslagsvis tre, att svara på en kort webbenkät. För testpersoner har det tagit mellan 3 och 5 minuter att fylla i enkäten. Vi vänder oss till läkare, sjuksköterskor och undersköterskor i akutsjukvården. Det är givetvis frivilligt att delta. Alla svar är anonyma. Inga person- eller organisationsuppgifter samlas in. Inte heller några digitala adresser. Länk till webbenkäten: Länken skickas till medarbetarna. Ett informationsbrev bifogas. Det förklarar syftet. Vidare bifogas en pdf-fil med enkäten för att du som chef ska kunna granska den innan du skickar något vidare. I fall studien väcker frågor svarar vi mer än gärna på mejl eller telefon. Gustaf Claesson är masterstudent på KI som svarar på praktiska frågor. Huvudhandledare är professor Sabine Kock vid KI. Jag själv är biträdande handledare. Kontaktuppgifter: Gustaf Claesson: [email protected], Sabine Koch: [email protected], Mina uppgifter finner du nedan. Om du önskar skickar vi masteruppsatsen när den är klar (juni 2015). Vänligen meddela mig. Vänliga hälsningar Tom Andersson, Senior analytiker 57

58 Appendix C Follow up letter to the managers Hej %NAMN%. Jag heter Tom Andersson, analytiker på Myndigheten för samhällsskydd och beredskap (MSB). Det här brevet är en uppföljning på ett tidigare brev som du ska ha fått angående en undersökning som MSB och Karolinska institutet (KI) genomför i samverkan. Eftersom vi inte kontrollerar vem som deltar i undersökningen skickar vi ett uppföljande brev till chefer i akutsjukvården som vi inte har haft någon kontakt med. I fall du redan har delgett information till medarbetare, eller bestämt dig för att inte medverka, ber vi dig att bortse från detta brev. Inga fler brev kommer att skickas ut i ärendet. MSB har bland annat till uppgift att stödja organisationer i deras säkerhetsarbete. Under våren 2015 samverkar vi med KI. Vi genomför en studie av inloggningsrutiner för it-system i akutsjukvården. Det sker i form av ett examensarbete på KI. Målet är att belysa vikten av verksamhetsanpassade säkerhetssystem. Det är viktigt för såväl arbetsmiljö som patientsäkerhet. Akutsjukvård är i fokus eftersom verksamheten ställer höga krav på effektiv informationshantering. För ändamålet hoppas vi på din medverkan. I korthet skulle den innebära att du ber några medarbetare, förslagsvis tre, att svara på en kort webbenkät. För testpersoner har det tagit mellan 3 och 5 minuter att fylla i enkäten. Vi vänder oss till läkare, sjuksköterskor och undersköterskor i akutsjukvården. Det är givetvis frivilligt att delta. Alla svar är anonyma. Inga person- eller organisationsuppgifter samlas in. Inte heller några digitala adresser. Länk till webbenkäten: Länken skickas till medarbetarna. Ett informationsbrev bifogas. Det förklarar syftet. Vidare bifogas en pdf-fil med enkäten för att du som chef ska kunna granska den innan du skickar något vidare. I fall studien väcker frågor svarar vi mer än gärna på mejl eller telefon. Gustaf Claesson är masterstudent på KI som svarar på praktiska frågor. Huvudhandledare är professor Sabine Kock vid KI. Jag själv är biträdande handledare. Kontaktuppgifter: Gustaf Claesson: [email protected], XXX XXX XX XX Sabine Koch: [email protected],, XXX XXX XX XX Mina uppgifter finner du nedan. Om du önskar skickar vi masteruppsatsen när den är klar (juni 2015). Vänligen meddela mig. Vänliga hälsningar Tom Andersson, Senior analytiker, XXX XXX XX XX 58

59 Appendix D Survey introduction page It-säkerhet i akutsjukvård Denna undersökning genomförs av Karolinska institutet i samverkan med Myndigheten för samhällsskydd och beredskap. Syftet är att utvärdera hur inloggning i ITsystem fungerar i akutsjukvården med utgångspunkt i dina upplevelser som yrkesverksam. Med inloggning menar vi hur du identifierar dig på en dator eller i ett ITsystem. Exempelvis, du anger ett användarnamn och ett lösenord, eller du sätter ett kort i en läsare och anger ett PIN (kod). Det är frivilligt att delta. Du svarar anonymt på enkäten. Inga person eller organisationsuppgifter kommer att registreras. Vi kommer heller inte försöka knyta några resultat till enskilda personer, arbetsplatser eller organisationer. Alla frågor avser din erfarenhet från din nuvarande arbetsplats. Enkäten tar 3 till 5 minuter att besvara. Enkäten är uppdelad i sidor. När du är klar med en sida klickar du på knappen "Nästa" längst ner på sidan. På sista sidan måste du klicka på knppen "Klar" för att dina svar ska registreras. Tack på förhand! Gustaf Claesson, masterstudent, KI Tom Andersson, senior analytiker, MSB Sabine Koch, professor, KI Epost: [email protected] 59

60 Appendix E The survey results QUESTION 1 Which of the following methods for authentication do you use? n=89 Answer Percentage Number Username + Pasword 82,0% 73 HSAID + Password 23,6% 21 SITHS-card+ PIN 77,5% 69 Smartcard + PIN 0,0% 0 Other methods 6,7% 6 Free text answers to the choice Other methods Log in using only user name to input information in the ambulance. Log in using personal number in systems that do not contain sensitive information Shared login with username and password HSAID + RSA code generator (for remote login) E-service card and password (of at least eight characters) I have to login many times a day using username and password in many different systems QUESTION 2 Do you experience any problems with the methods you use for logging in? n=89 Answer Percentage Number Yes 58,4% 52 No 41,6% 37 QUESTION 3 Kindly describe the problems that you experience with todays methods for logging in. n=49 Word frequency analysis for question about what problems the participants face with authentication methods. Word Number of answers that contain the word Percentage of answers that contain the word Card 15 30,6% 60

61 Password 12 24,5% Come 12 24,5% Card in computer 12 24,5% Much time 10 20,4% Categories of problems participants experienced with authentication methods Number of answers coded with the Category category Logging in takes too much time 21 There are too many different credentials to keep track of 14 I forget to take my card out of the computer 9 It is problematic that the card has multiple functions (log in to computer, open doors, use printer etc.) 8 There is no automatic log off feature 6 There are technical problems with the card readers 6 The passwords expire to often 3 Passwords are easily forgotten 2 The password policy makes me write the password down 1 The password policy makes me chose weak passwords 1 QUESTION 4 Have you at any time been given information about rules governing the use of login information? n=86 Answer Percentage Number Yes 70,9% 61 No 20,9% 18 I do not know 8,1% 7 QUESTION 5 If a new colleague would ask you about the rules, would you be able to account for them? n=61 Answer Percentage Number Yes, completely 16,4% 10 Yes, for the most part 54,1% 33 Yes, to some extent 23,0% 14 No 6,6% 4 61

62 QUESTION 6 How often is it necessary for you to read information in an EMR using someone else's account? n=85 Answer Percentage Number Daily 14,1% 12 At least once a week 16,5% 14 At least once a month 7,1% 6 Less often 21,2% 18 Never 41,2% 35 QUESTION 7 State the most importatn reason why you need to use someone else's account to read information in an EMR. n=45 Word frequency analysis for question about reasons why participants need to read information using someone else s login Number of answers that contain the word Percentage of answers that contain the word Word Logged in 14 31,1% Patient 11 24,4% Log 11 24,4% Time 8 17,8% Acute situations 5 11,1% Categories of reasons why participants need to read information using someone else s login Number of answers coded with the Category category The computer is already logged in with another account 15 It saves time due to convenience 14 It saves time since the acuteness of the situation demands it 13 I have forgotten/left my card in another computer 8 There is a lack of computers 8 There are technical problems with my login 5 62

63 We work as a team and only one person can/needs be logged in 4 A colleague asks for my opinion 3 The password expired 2 QUESTION 8 How often does a colleague of your use your account to read information in an EMR? n=82 Answer Percentage Number Daily 13,4% 11 At least once a week 20,7% 17 At least once a month 13,4% 11 Less often 19,5% 16 Never 23,2% 19 I do not know 9,8% 8 QUESTION 9 Can you see any dangers with a colleague of yours using your account to read information in an EMR? n=85 Answer Percentage Number Yes 76,5% 65 No 23,5% 20 QUESTION 10 State the greatest danger that you see with a colleague using your account to read information in an EMR. Word frequency analysis of the dangers with colleagues using the participants credentials to read information Number of answers that contain the word Percentage of answers that contain the word Word Medical records 19 30,7% Logged 13 21,0% Patient 13 21,0% Confidentiality 11 17,7% Colleague 7 11,3% 63

64 Categories of the dangers participants see with colleagues using the their accounts to read information Number of answers coded with the Category category I may get in trouble after a log review 30 There are confidentiality problems 26 Someone may use a computer for something that is not allowed 6 Someone may forget that the login is borrowed and take action or document in my name 5 I may get into legal problems 5 I am responsible for what is done 5 I have no control for what is done in my name 2 Traceability is broken 2 Patient safety is at risk 2 Mistakes that are made are logged on me 1 Prescriptions may be done in my name 1 Patients may get hold of my name in the logs 1 QUESTION 11 How often is it necessary for you to make notes in an EMR using someone else's account? n=85 Answer Percentage Number Daily 0,0% 0 At least once a week 4,7% 4 At least once a month 1,2% 1 Less often 22,4% 19 Never 71,8% 61 QUESTION 12 State the most important reason why you need to use a colleagues account to make notes in an EMR. n=20 Categories of reasons why participants need to make notes using someone else s login Category Number of answers coded with the category 64

65 It saves time due to convenience 6 I do it by mistake 5 We work as a team and only one person can/needs be logged in 4 There are technical problems with my login 4 It saves time since the acuteness of the situation demands it 2 QUESTION 13 How often does a colleague of yours use your account to make notes in an EMR? n=84 Answer Percentage Number Daily 0,0% 0 At least once a week 6,0% 5 At least once a month 3,6% 3 Less often 21,4% 18 Never 58,3% 49 I do not know 10,7% 9 QUESTION 14 Can you see any dangers with a colleague using your account to make notes in an EMR? n=85 Answer Percentage Number Yes 90,6% 77 No 9,4% 8 QUESTION 15 State the greatest danger you can see with a colleague using your account to make notes in an EMR. n=70 Word frequency analysis of the dangers with colleagues using the participants credentials to make notes in an EMR Percentage of answers that contain the word Number of answers that contain the word Number of answers that contain the word The note 19 27,1% Responsible 12 17,1% 65

66 Stand 12 17,1% Name 11 15,7% Writes 9 12,9% Categories of the dangers participants see with colleagues using the their accounts to make notes in an EMR Number of answers coded with the Category category I may become responsible for things (ordinations, treatments etc.) that I have not performed 29 Traceability is lost 11 Confidentiality problem 10 Things written in my journal that I cannot stand for quality or content wise 7 Information may be wrong and I cannot correct it since I do not know 5 Patient safety is at risk 5 QUESTION 16 How many of your colleagues may know your login credentials? n=84 Answer Percentage Number None 90,5% 76 Only one 4,8% 4 Between two and five 0,0% 0 More than five 0,0% 0 I do not know 4,8% 4 QUESTION 17 How many of your colleagues login credentials do you know? n=84 Answer Percentage Number None 88,1% 74 Only one 7,1% 6 Between two and five 3,6% 3 More than five 1,2% 1 QUESTION 18 66

67 Which age group to you belong in? n=82 Answer Percentage Number Under 25 2,4% 2 Between 25 and 45 62,2% 51 Over 45 35,4% 29 QUESTION 19 In what part of Sweden do you primarily work? n=82 Answer Percentage Number Northern Sweden (Norrbotten, Västerbotten, Västernorrland, Jämtland, Dalarna, Gävleborg) 9,8% 8 Middle Sweden (Uppsala, Västmanland, Stockholm, Södermanland, Örebro, Värmland) 24,4% 20 Southern Sweden (Östergötland, Gotland, Kronoberg, Jönköping, Kalmar, Blekinge, Västra Götaland, Halland, Skåne) 65,9% 54 QUESTION 20 Which of the following statements describes you the best? n=82 Answer Percentage Number I only use computers at work 6,1% 5 I use computers at work, but also for personal use. Then I use computer, smartphones or tablets for accessing e- services on line 50,0% 41 I use computers at work, but also for personal use. I use e- services, but I can also install software on my own computer. 26,8% 22 I have an interest for IT, and can manage an operating system and configure advanced software. 17,1% 14 QUESTION 21 Which is your current profession? n=83 Answer Percentage Number Physician 24,1% 20 Nurse 55,4% 46 67

68 Assistant nurse 10,8% 9 Other 9,6% 8 Free text answers to other: Medical administrator Manager IT-administrator and nurse Manager Manager Programmer (and nurse) Manager Care coordinator Manager 68