Secure Password Policies for Your Medical Practice

HIPAA §164.308(a)(5)(ii)(D) requires you to establish effective, documented password policies. Here's how.

Poor Password Security Can Lead to Breaches and HIPAA Fines

No one likes passwords. They seem designed the flaunt the fallibility of human memory. But strong passwords may be the only thing protecting your patients' sensitive data from cybercriminals.

Here are some cybersecurity best practices you should document in your HIPAA policies and procedures manual.

#1: Unshared and Unwritten

It's absolutely essential that every member of your staff has their own credentials for every IT service you use at work. Sharing accounts and passwords is expressly prohibited by HIPAA. And your policy should prohibit writing passwords down where they are easy to find.

#2: Passphrases are Harder to Guess

You're probably accustomed to software that requires passwords with eight mixed-case characters plus at least one numeral or special character. That's a start but it still allows guessable passwords like summer16! or TrustNo1 (the 25th most popular password of 2015).

Instead of passwords, your policy should encourage staff to think of passphrases, five or six words that paint an easy-to-remember picture, say All cats sleep soundly in sunbeams.

Just don't use that.

#3: Prohibit Password Recycling

It doesn't matter how complex or secure your passphrase is if it was leaked in a third-party data breach. Your patient data can be easily exposed to cybercriminals if your employees use the same password on your EHR as they used on Yahoo or MySpace of any of the dozens of other big services whose password files were hacked and published. Your policy should require that staff select passwords that they've never used on any outside service.

#4: Utilize a Password Manager

Secure password management is easier than ever, as it is possible to save your passwords in encrypted software. Password management software means no more sticky notes concealed beneath the keyboard, no excel spreadsheet saved right to your desktop. It takes these forms of password cataloging and moves them behind a lock protected with a master key—the only passphrase you need to remember.

What About Periodic Password Changes?

Nothing frustrates a user more than making them change their passwords every 30 or 90 days. Does it really improve cybersecurity? Recent research suggests that password security changes may do more harm than good. Your risk assessment should evaluate the pros and cons before you impose burdensome requirements on your users.