Having strong passwords is critical for maintaining personal privacy as well as HIPAA compliance. Hackers view cracking passwords as we might view solving a crossword puzzle. It’s fun and, in their case, it may lead to a pot of gold – your personal, patient or practice data.
Earlier this fall, my Facebook account was hacked. What an eerie feeling! In case you’re wondering, I did not have a simple password. It was eleven alphanumeric characters, with special characters and capital letters. Unfortunately, with ads on the Internet like “100+ Hacking Tools to Become a Powerful Hacker” nothing is completely “unhackable.” Your only hope of staying one step ahead of hackers is to create strong passwords and change them regularly.
Section 164.308(a)(5)(ii)(D) of the Security Rule relates to Password Management. This particular Implementation Specification is an “addressable” item, not a “required” item. “Addressable” means we need to comply with it somehow, but we have slightly more leeway than something that’s required. Ultimately as a covered entity, you must implement reasonable and appropriate safeguards for “procedures for creating, changing, and safeguarding passwords.”
In many offices, the entire staff uses the same user ID and password to log on to Windows or the Internet. However, Section 164.312(a)(2)(i) of the Security Rule HIPAA requires covered entities to assign a unique name and/or number for identifying and tracking user identity. And that’s not achievable unless your team has individual passwords when accessing electronic patient records.
In addition to requiring a password for access to patient data, entities must ensure that workforce members are trained on how to safeguard the information. Covered entities must train all users and establish guidelines for creating strong passwords and changing them regularly and often.
Consider these tips when creating or updating passwords:
- The longer the better; short passwords are easily guessed.
- Passwords should be unrelated to your personal information, so nix birth dates, family names, pet names and other information readily available about you on the Internet.
- Use a combination of letters, numbers, and symbols in a random order. One of the first password “rules” I learned was to create a long sentence and use the first letter of each word. Nowadays, you’d want to sprinkle that sentence with a combination of numbers, symbols and capital letters, making it harder to crack.
Don’t forget – HIPAA requires covered entities to provide periodic privacy and security reminders to their workforce (Security Rule 164.308(a)(5)(ii)(A)). Consider discussing passwords at your next staff meeting and document the discussion in your meeting minutes. You never know whose identity you might safeguard.