HIPAA Tip: Password Security
An employee complains about having to change their password yet again. After minutes spent crafting the new password, they jot it down on a sticky note and stick it to their monitor.
Creating and remembering complex passwords is the bane of healthcare employees, who deal with many programs and networks related to patient care throughout the day. Some password practices, like the one above, are easy and tempting. After all, isn’t it okay to take a shortcut if it helps your workflow?
However, the price of convenience can be steep. Careless password practices often violate HIPAA’s security requirements, and if HIPAA takes password security seriously so should you.
Careless Password Practices
Healthcare employees often share login information with others to simplify their workflow. However, you are responsible for all activity under your account. If you share your password, you lose control over the activities on your account. The person you share your login with can purposefully or accidentally change patient data, and you may face serious disciplinary actions.
Even if you have no intention of sharing your password, writing it down is possibly more dangerous than directly sharing it. Written passwords are vulnerable because anyone can see or steal them. If you find yourself struggling to remember passwords, resist the urge to reach for a pen and use a password vault instead.
Basic Password Security
HIPAA requires you to securely manage your passwords and logins. Page 16 of the HHS “Security Standards – Administrative Safeguards” defines password management as “procedures for creating, changing, and safeguarding passwords.” Therefore, you must have guidelines for what a secure password is, as well as when and how they should be changed.
Password security is an ongoing process that involves everyone on your team. However, you can take the first few steps towards creating a culture of security compliance.
- Create unique user IDs. Every user should have their own unique username or identifier to log in to your sensitive programs or network. For example, “Nurse Station 1” would not be a unique user ID.
- Create a complex password for each user ID. Each employee will have multiple passwords, one for each access point. Though this may be frustrating, an employee with one “master” password could cause a serious security issue if someone steals the password.
- Train your staff. HIPAA requires you to periodically remind staff members about security issues. However, reminders can take many forms. Embrace this requirement as an opportunity to share good password practices with your team.
To help you create a culture of security compliance, the HIPAAtrek platform sends automatic reminders to your entire team about password management, login monitoring, and malicious software. Contact us to learn more about how HIPAAtrek can help you simplify your HIPAA compliance program.