Cybersecurity Awareness: Password Management


The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has made October the National Cybersecurity Awareness Month (NCSAM).  Why? Healthcare companies are falling prey to hackers, resulting in huge privacy breaches, and the problem is only getting worse. Therefore, HHS wants healthcare organizations to go back to the basics of privacy and security. It’s more critical now than ever for you, as a covered entity or business associate, to secure your electronic protected health information (ePHI). The easiest security step you can take is to put a good password management system in place.

What is Password Management?

Passwords are the keys to the kingdom. They allow users to log in to your information systems. When passwords are managed well, only authorized users can log in. If you want a strong password management system, you need to follow rules that help you create strong passwords and set up automatic password management events. Here are some tips:

  1. Password defaults. Have users change the default passwords that allow them to initially log in to a system.
  2. Password makeup. Use at least 10 characters with a combination of uppercase and lowercase letters, numbers, and symbols (ex. $, !, or &). You can use passphrases (ex. I love to golf on Saturdays and Sundays) or reduce the passphrase to a password (ex. Iltg0sas). However, passphrases are more secure because they’re harder to crack than passwords.
  3. Password protection. You should never write passwords on sticky notes, leave them by the computer, or share them with others. Commit your password to memory or use a password vault.
  4. Password expiration. Users shouldn’t have the same password forever. Set dates for passwords to expire and for users to create a new password (ex. Every 180 days or once a year).
  5. Password history. Users shouldn’t be able to reuse the same password when prompted to create a new one. Set how many times users must create a different password before they can reuse one.

Making passwords feels like a nuisance sometimes. However, password management is the first step towards securing your ePHI, so don’t skip this step! To make security easier, HIPAAtrek software sends automatic reminders to your entire team about login monitoring, password management, and malicious software. Learn more about how HIPAAtrek can help you simplify your HIPAA compliance program.

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »