Boost Password Acumen With Expert Insight
Hint: Don’t use the same password for your personal and office devices.
There’s no denying that the digital revolution has reshaped healthcare with products that boost efficiency, enhance care, and streamline administration. In fact, your practice probably utilizes mobile devices, electronic health records, and other high-tech tools every day. Despite its plethora of benefits, technology does have a downside: It must be managed and secured against myriad threats, both internal and external.
Your information technology (IT) staff is likely on top of things as varied as logging and monitoring network activity to managing patches and installing antivirus software. But even the strongest security measures aren’t always foolproof, and that can leave both your patients’ electronic protected health information (ePHI) and your business exposed and vulnerable. If you add heightened federal enforcement to the mix, you’ve got a recipe for disaster that can cost your practice big bucks.
Start With HIPAA Security Training
Comprehensive HIPAA security training for administrative staff and clinicians is a great place to start. A central piece of your organization’s compliance planning and overviews should include robust password protocols. It might sound simple, but strong password creation and controls are often overlooked or pushed to the wayside when accounts are set up and logins are established — despite being a quick and easy officewide security measure.
Here’s Why Usernames Are Usually Standard
Your organization’s usernames are likely straightforward, and there’s a good reason why. Formatting is essential to promote quick identification and assessment by IT staff.
“Usernames at work aren’t usually up to the individual; they’re set by the IT department and they usually follow a common standard such as ‘first_initial,’‘last_name,’ but you can take steps to keep your work username more secure by using it only for work,” explains Jen Stone, MSCIS, CISSP, QSA, a security analyst with SecurityMetrics in Orem, Utah.
Adam Kehler, CISSP, principal consultant and healthcare practice lead with Online Business Systems, adds, “Username formats should meet a corporate standard for consistency, but should not be considered confidential information.”
This is particularly critical when network monitoring shows unauthorized access to the practice systems. If a data security incident occurs, IT staff can quickly pinpoint the account involved and do the necessary damage control.
Don’t Mix Business With Pleasure
It’s smart business to separate your home life from your work life, which translates to using different logins for your home accounts than those you use for work. The division between work and home tech not only protects your patients — it protects your business, too.
“If you use your work email as an account name, chances are good you’ll be tempted to use your work password as well,” says Stone. “Then, when ‘Flower Sparkle Games’ is hacked, the hackers not only get access to your game, they also get access to your work account.”
7 Password Creation Steps Stop Hackers in Their Tracks
Review these seven password steps that Adam Kehler, CISSP, a principal consultant and healthcare practice lead with Online Business Systems, recommends for covered entities (CEs):
1. Make it long. Longer passwords equal greater security — it’s just that simple. “Increase length to 10 or 12 characters,” he suggests.
2. Don’t go over the top with complexity. An overly complicated password that must be changed weekly or monthly can be a headache and lead to password fails. “Eliminate requirements for complexity and scheduled change — only change if a password has been compromised,” instructs Kehler.
3. Register a breached password checklist. It’s never a great idea to reuse a password that’s created problems in the past. “Reject passwords that appear on a breached password list,” he says.
4. Streamline reset protocols. It’s best not to overcomplicate the reset processes for users’ passwords. “Make password resets easy by sending a temporary link to the user’s backup email account,” Kehler advises.
5. Eliminate password hints. “They actually decrease security,” Kehler warns. Hackers can easily investigate a user’s background with just a username. If you must use hints, think neutral and impersonal when creating them.
6. Use hashing functions and cryptography. Password storage that utilizes hashing or inputting random data into passwords through cryptography limits cyber thugs. “Ensure passwords are stored using a strong, nonreversible hash like Bcrypt instead of SHA256,” explains Kehler.
7. Institute user-friendly password protocols. The nuances of high-tech password policy can be confusing and impede practice controls, so provide easy-to-understand guidelines. “Increase usability with methods such as providing real-time feedback on password strength and ensuring systems are compatible with popular password safes,” Kehler says.
HIPAA Security Factors into the Password Equation
Over the past few years, the Office for Civil Rights has really ramped up its enforcement of HIPAA security violations. The loss of devices and the lack of encryption on many of these mobile units has made password security a hot topic in healthcare. Case after case illustrates the need for stronger risk analysis, with unauthorized access a common issue among both covered entities (CEs) and their business associates (BAs).
The HIPAA Security Rule places primary importance on policies and procedures that protect and secure ePHI. Under the administrative safeguards, CEs are required to identify and analyze potential risks to ePHI as part of their security management process, the rule summary instructs. In addition, the provision mandates the implementation of “security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.” This includes the creation and maintenance of strong passwords.
The emphasis on risk assessment and reduction is clear — and this includes the creation and maintenance of strong passwords. Whether you’re a CE operating a small practice in a rural zone or a multifaceted BA with departments that span an entire region of the country, you must put risk analysis and password protection at the top of your HIPAA compliance planning.
Employ 4 Quick Tips for Better Password Management
When you’re busy, you may be compelled to reuse old passwords — over and over. Hackers look specifically for these types of patterns, however, so repeatedly using the same passwords leaves your organization vulnerable to a cyberattack. Plus, if your office experiences a data breach or a HIPAA violation, one of the first inquiries in the investigation of your case will be whether you assessed, analyzed, and managed your practice risks. Lackluster password controls will likely be categorized as ignoring potential risks. One of the easiest security measures you can implement is a strong password. Think about adding these four password actions from Adam Kehler, CISSP, a principal consultant and healthcare practice lead with Online Business Systems, to your checklist:
1. Strengthen security with multifactor authentication (MFA). If the sites you utilize the most offer MFA, use it for the added protection.
2. Institute a password safe. A password vault, safe, or management system will help you both create and corral your choices. “Use a password safe that is compatible with all of your devices,” Kehler cautions.
3. Get creative. When you’re busy, it’s easy to fall into password patterns and reuse old ones. Make your passwords random and unique and add them to your password safe.
4. Dig deep for innovative hints. Some sites require users to add hints for password retrieval. You should use random words instead of meaningful ones “and store those in the password safe,” Kehler advises.
Use Two-Factor Authentication
Fortunately, there are strategies that you can employ to safeguard your mobile devices and workstations, as well as your patients’ ePHI, that go beyond traditional measures and bolster password controls.
“Passwords alone are by and large not a great way to authenticate individuals. Organizations should strongly consider implementing multifactor authentication (MFA) for all remote access or privileged access to sensitive systems,” Kehler stresses. “Implementing these controls can result in an incredible decrease of the number and severity of breaches.”
MFA is a handy tool that prompts you to report at least two types of evidence to authenticate your identity during login. This is also known as two-factor authentication (2FA).
Stone says to make sure 2FA is turned on for all your accounts. “It might take a few more seconds for you to log in,” Stone says, “but the increased security is absolutely worth it!”
Stay Up to Date on Guidance
The National Institute of Standards and Technology (NIST) updated its password guidance with recommendations for improving identity security. The new guidelines bemoan complicated composition rules for passwords because they create more problems.
“Research and the updated NIST SP 800-63B Digital Identity Guidelines agree that most of what we know about password strength is incorrect,” says Kehler. “Passwords change and complexity rules generally result in password reuse, writing down passwords, and creating predictable passwords such as ‘Password123.’”
If your practice struggles with password management, you may want to consider using a password management tool. “In my experience, the best passwords come from a password manager,” says Stone. “They can be long, complex, and unique without taxing your ability to remember all the passwords to all your accounts.”
HIPAA Security Rule summary: www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
NIST guidelines: https://pages.nist.gov/800-63-3
NIST MFA guidance: www.nist.gov/itl/tig/back-basics-multi-factor-authentication