Password security is the bane of most healthcare organizations’ existence! Employees and providers groan every time they are required to change their passwords. Remembering complex passwords is also difficult, especially when you have multiple passwords to remember for all the programs and networks required to manage patient care. Writing passwords down and sharing passwords are common temptations to ease the pain of password management. However, not taking password security seriously is leaving your patients’ information vulnerable.

The Password Security Conundrum

Many organizations struggle with password security. Providers and nurses often share login credentials with staff to make it their workflows easier. However, sharing passwords IS a real security threat.

If you share your password, you are responsible for ALL activity under your login credentials! It is difficult, if not impossible, to monitor someone else’s activity on your login. This is particularly true if you are not closely watching them as they are logged in as you. The person you share your password with can purposefully or accidentally change patient data. As a result, you can face serious disciplinary actions, including fines or termination.

In addition, to password sharing, password security is another major concern. If you write your passwords down on a sticky note or notebook, STOP! Because, this leaves passwords extremely vulnerable. Passwords that are written down can be lost or stolen. Also, it is impossible to determine who has accessed passwords that are written down on paper. If you must write down your passwords, consider the use of a password vault.

You and your staff are busy!  As a result, these seem to be reasonable shortcuts to make his workflow more manageable. However, due to the possible monetary penalties or even loss of employment, they are really dangerous practices.

HIPAA Requirements

Not only is password security important for your security program, HIPAA actually REQUIRES it!

• Password Management: Procedures for creating, changing, and safeguarding passwords. 
• Unique User ID: Assign a unique name and/or number for identifying and tracking user identity.

First, establish unique user IDs. This means, that every user should have their own user name or identifier to log into sensitive programs or your network. Because, having generic user IDs such as “Nurse Station 1” to login does not meet the requirement.

Second, make sure that every user ID has its own secure and complex password. This might, and probably does, mean that each employee will have multiple passwords that match up with each account.

Most importantly, TRAIN your staff on your security practices around securing and managing their passwords!

Security Beyond HIPAA

Just meeting the HIPAA requirements may not be enough to protect your patients’ information. Beyond HIPAA, it is important to protect passwords in order to secure your network and all of its data. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient.

Your HIPAA Tip on sharing passwords, is simply don’t.

If you have any questions on how to meet these requirements, contact us!

Happy HIPAAtrekking!