Doctor Who? Telephone order authentication challenges
Case: from a event reported to CHPSO
Dr. Smith hospitalized Mr. Jones, a diabetic with a right below-knee amputation, for treatment and assessment of continuing pain in the left leg. Two days later, Dr. Smith phoned the ward clerk with new orders for Jones. The clerk shared the orders with Jones’ nurse, who was puzzled by the orders: triple the current dose of morphine, ask Dr. Thomas to do a left below-knee amputation, and administer an enema. The nurse called back Dr. Smith to clarify. Dr. Smith denied ever giving such an order. The nurse then called the number that had been displayed on caller ID on the original call, and found that the number was not in service.
While rare, fake physician telephone orders occur, occasionally with catastrophic results. Some examples:
A teenager hacked into the paging system, intercepted doctors’ pages, and prescribed medications and minor procedures. (Davis & Jackman, 2000)
A nurse stole money from a patient then called in an insulin dose that put the patient in a coma. The patient died four days later. (Reich, 1986)
Patients received unnecessary enemas based on telephone orders from a lawyer, whose motives were unclear. (Bag ex-lawyer in enema hoax, 1990)
A woman, using a service to disguise both her voice and her phone number, ordered an abortifacient from a community pharmacy for her husband’s pregnant girlfriend, then called the girlfriend, persuading her to pick up and take the medication. (Parascandola, Jackson, & Schapiro, 2009)
Note that in the case received by CHPSO, the original caller impersonated an on-staff physician, knew the names of other physicians on staff, manipulated caller ID, and knew the patient’s personal information and medical history. This particular hospital, while requiring staff to verify a relative’s identity prior to releasing medical information, did not have a specific procedure to do so. The caller probably tricked staff into believing that he was a relative, and was able to obtain patient information prior to calling in the spoofed orders.
Different circumstances may warrant different procedures
A first step for risk reduction is to minimize the situations in which telephone orders are used. For hospitals with electronic health records, off-campus access to the system helps considerably. Telephone order policies should be reviewed to ensure that overuse of telephone orders is addressed.
Typically, telephone orders are used only when an inappropriate delay in treatment would occur if the hospital waited for the physician to have an opportunity to enter an order into the medical record him or herself. By the time the physician is available to authenticate the order, it probably will have been carried out already. Therefore, the authentication step should not be the sole safeguard against fake orders. For orders over the phone, hospitals should consider how to identify physicians to assure that the orders are legitimate. Caller ID cannot be used for validation, as the number can easily be faked. Likewise, telephone text messages cannot be used for orders, as it is impossible to verify the identity of the ordering person. (The Joint Commission, 2015)
Table: Examples of publicly known IDs, not useful for caller authentication
Method of public access
medical license number
medical board web sites
DEA license number
seen by patients and others on prescriptions, also accessible in some on-line databases (e.g., LexisNexis RISKLB/HEACAR)
Federal Department of Health and Human Services web site
Unless the paging system is vulnerable to hacking, when a physician is paged and calls back in response, it is highly unlikely that someone else will be spoofing the physician. However, when an unsolicited call arrives from a physician, the physician’s identity may be in doubt. Hospitals should consider how staff identify physicians in that circumstance. There may be a hierarchy of tests. For example, the staff member may know the physician and it would be sufficient identify him or her by voice. For an unfamiliar caller, the staff member may ask for some non-public information to confirm the caller’s identity, such as the hospital-assigned physician ID. Another confirmation method would be to call the physician back using a phone number for the physician that is already in the hospital’s information system, which is how the hospital identified the problem in the case presented to CHPSO.