Health and Human Services (HHS) Office for Civil Rights has made the month of October 2017, Cybersecurity Awareness Month (NCSAM).  As such, they are asking organizations subject to the HIPAA privacy and security rule to go back to the basics. The Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce.  Today, the security of electronic health information is more critical than ever and it’s everyone’s obligation to protect e-PHI from unauthorized access.  In this first installment of a four-part series on cybersecurity tips by HIPAAtrek, we will examine some tips for implementing a good password management program.

Password Management:  Passwords can be viewed as the keys to the kingdom.  Every user’s access point into your information systems that hold or lead to e-PHI, begin with a unique user log-in and password.  With properly managed passwords, access is reserved to only those who are authorized to enter the system or application. Therefore, it is imperative that you implement appropriate password rules and consider some of these tips:

Password makeup: Consider making them at least 10 characters long consisting of an uppercase letter, lower case letter, number and a special character such as $%& (Alphanumeric). Use paraphrases such as “I love to golf on Saturdays and Sundays” which equates to an alphanumeric password of Iltg0sas.

Password history:  Specify the number of times a different password must be selected before a user can reuse a previous password.

Password expiration: Set a date or time period after which the user must establish a new password.  No user should have the same password to access e-PHI for an unlimited period. Consider forcing a password change every 180 days or once a year.

Password defaults: Default passwords which are issued to a user after   initial access that is provided or an application/software that is brought on line, must be changed by the user.

Password protection: Passwords should be protected from viewing by others. They should not be written down on sticky notes or on paper left under the keyboard.  Commit the password to memory or use a password vault or manager program.

HHS has provided a short list of tips to discuss with your staff during NCSAM and there are many more topics you can include at your organization as you see is needed. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.  Let me also recommend you contact our Lead Account Executive, Theresa Zemcuznikov at theresa@hipaatrek.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location.  In the meantime, happy HIPAA trekking.