The Health Insurance Portability and Accountability Act (HIPAA) requires doctors, physicians, dentists, chiropractors and other covered entities to take measures to protect their patients' information from unauthorized use or disclosure. We live in a digital age in which most healthcare organizations use networked systems to store data. As such, it creates potential security risks, as hackers or other individuals with malicious intent could infiltrate the system to access Protected Health Information.
The first line of defense against hackers, however, is a strong password. While it's obviously easier to remember a password like “myspace123” (note: that was once the most popular password), it places your system at an increased risk for intrusion. Furthermore, it may not be HIPAA-compliant.
As noted in Section 164.308(a)(5)(ii)(D) of the Health and Human Services (HHS) Administrative Safeguards document, covered entities are required to implement “procedures for creating, changing and safeguarding passwords” when implementation is reasonable and appropriate. So, what exactly does this mean? There's no single “right” way to create a strong password, but the document published by the HHS outlines some key points for covered entities to consider.
Can Employees Share Passwords?
Covered entities should implement procedures and/or policies that prevents workers from sharing passwords with others.
Are Workers Required To Remember Their Passwords?
While not necessarily required, it's a good idea to have workers remember their passwords. This is obviously a safer and more secure alternative that placing a sticky note with the password on the edge of a computer monitor.
HIPAA requires all covered entities to train their workforce members on how to safeguard Protected Health Information. This includes training on the establishment and creation of passwords, as well as changing them during cycles.
Tips on Creating a Strong Password
- Avoid using names, common words or phrases.
- Use a combination of lower-case letters, upper-case letters, special characters and non-sequential numbers.
- Change your password on a regular basis. Using the same password month after month increases the risk of access by an unauthorized individual.
- Never write down or store your password in a plain text document. If you're going to store it on a computer or digital storage drive, make sure it's encrypted.