HIPAA Tip: Password Security


An employee complains about having to change their password yet again. After minutes spent crafting the new password, they jot it down on a sticky note and stick it to their monitor.

Sound familiar?

Creating and remembering complex passwords is the bane of healthcare employees, who deal with many programs and networks related to patient care throughout the day. Some password practices, like the one above, are easy and tempting. After all, isn’t it okay to take a shortcut if it helps your workflow?

However, the price of convenience can be steep. Careless password practices often violate HIPAA’s security requirements, and if HIPAA takes password security seriously so should you.

Careless Practices

Healthcare employees often share login information with others to simplify their workflow. However, you are responsible for all activity under your account. If you share your password, you lose control over the activities on your account. The person you share your login with can purposefully or accidentally change patient data, and you may face serious disciplinary actions.

Even if you have no intention of sharing your password, writing it down is possibly more dangerous than directly sharing it. Written passwords are vulnerable because anyone can see or steal them. If you find yourself struggling to remember passwords, resist the urge to reach for a pen and use a password vault instead.

Basic Password Security

HIPAA requires you to securely manage your passwords and logins. Page 16 of the HHS “Security Standards – Administrative Safeguards” defines password management as “procedures for creating, changing, and safeguarding passwords.” Therefore, you must have guidelines for what a secure password is, as well as when and how they should be changed.

Read more: Cybersecurity Awareness: Password Management 

Password security is an ongoing process that involves everyone on your team. However, you can take the first few steps towards creating a culture of security compliance.

  1. Create unique user IDs. Every user should have their own unique username or identifier to log in to your sensitive programs or network. For example, “Nurse Station 1” would not be a unique user ID.
  2. Create a complex password for each user ID. Each employee will have multiple passwords, one for each access point. Though this may be frustrating, an employee with one “master” password could cause a serious security issue if someone steals the password.
  3. Train your staff. HIPAA requires you to periodically remind staff members about security issues. However, reminders can take many forms. Embrace this requirement as an opportunity to share good password practices with your team.

To help you create a culture of security compliance, the HIPAAtrek platform sends automatic reminders to your entire team about password management, login monitoring, and malicious software. Contact us to learn more about how HIPAAtrek can help you simplify your HIPAA compliance program.

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »

Cybersecurity During COVID-19

Watch out for COVID-19 cyber scams Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek Bethany Baty, Digital Marketing Director, HIPAAtrek Margaret Scavotto, JD, CHC, President, MPA The Department

Read More »