HIPAA Tip: Password Security

Sticky note with a password written on it
Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest

An employee complains about having to change their password yet again. After minutes spent crafting the new password, they jot it down on a sticky note and stick it to their monitor.

Sound familiar?

Creating and remembering complex passwords is the bane of healthcare employees, who deal with many programs and networks related to patient care throughout the day. Some password practices, like the one above, are easy and tempting. After all, isn’t it okay to take a shortcut if it helps your workflow?

However, the price of convenience can be steep. Careless password practices often violate HIPAA’s security requirements, and if HIPAA takes password security seriously so should you.

Careless Practices

Healthcare employees often share login information with others to simplify their workflow. However, you are responsible for all activity under your account. If you share your password, you lose control over the activities on your account. The person you share your login with can purposefully or accidentally change patient data, and you may face serious disciplinary actions.

Even if you have no intention of sharing your password, writing it down is possibly more dangerous than directly sharing it. Written passwords are vulnerable because anyone can see or steal them. If you find yourself struggling to remember passwords, resist the urge to reach for a pen and use a password vault instead.

Basic Password Security

HIPAA requires you to securely manage your passwords and logins. Page 16 of the HHS “Security Standards – Administrative Safeguards” defines password management as “procedures for creating, changing, and safeguarding passwords.” Therefore, you must have guidelines for what a secure password is, as well as when and how they should be changed.

Read more: Cybersecurity Awareness: Password Management 

Password security is an ongoing process that involves everyone on your team. However, you can take the first few steps towards creating a culture of security compliance.

  1. Create unique user IDs. Every user should have their own unique username or identifier to log in to your sensitive programs or network. For example, “Nurse Station 1” would not be a unique user ID.
  2. Create a complex password for each user ID. Each employee will have multiple passwords, one for each access point. Though this may be frustrating, an employee with one “master” password could cause a serious security issue if someone steals the password.
  3. Train your staff. HIPAA requires you to periodically remind staff members about security issues. However, reminders can take many forms. Embrace this requirement as an opportunity to share good password practices with your team.

To help you create a culture of security compliance, the HIPAAtrek platform sends automatic reminders to your entire team about password management, login monitoring, and malicious software. Contact us to learn more about how HIPAAtrek can help you simplify your HIPAA compliance program.

Please share to your communities

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!
Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.