Cybersecurity Awareness: Password Management
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has made October the National Cybersecurity Awareness Month (NCSAM). Why? Healthcare companies are falling prey to hackers, resulting in huge privacy breaches, and the problem is only getting worse. Therefore, HHS wants healthcare organizations to go back to the basics of privacy and security.
It’s more critical now than ever for you, as a covered entity or business associate, to secure your electronic protected health information (ePHI). The easiest security step you can take is to put a good password management system in place.
What is Password Management?
Passwords are the keys to the kingdom. They allow users to log in to your information systems. When passwords are managed well, only authorized users can log in. If you want a strong password management system, you need to follow rules that help you create strong passwords and set up automatic events that manage passwords. Here are some tips:
- Password defaults. Have users change the default passwords that allow them to initially log in to a system.
- Password makeup. Use at least 10 characters with a combination of uppercase and lowercase letters, numbers, and symbols (ex. $, !, or &). You can use passphrases (ex. I love to golf on Saturdays and Sundays) or reduce the passphrase to a password (ex. Iltg0sas). However, passphrases are more secure because they’re harder to crack than passwords.
- Password protection. You should never write passwords on sticky notes, leave them by the computer, or share them with others. Commit your password to memory or use a password vault.
- Password expiration. Users shouldn’t have the same password forever. Set dates for passwords to expire and for users to create a new password (ex. Every 180 days or once a year).
- Password history. Users shouldn’t be able to reuse the same password when prompted to create a new one. Set how many times users must create a different password before they can reuse one.
Making passwords feels like a nuisance sometimes. However, password management is the first step towards securing your ePHI, so don’t skip this step! To make security easier, HIPAAtrek software sends automatic reminders to your entire team about login monitoring, password management, and malicious software. Learn more about how HIPAAtrek can help you simplify your HIPAA compliance program.