What passwords do you use to access your company's system? If you are a healthcare provider, you'll need to take extra precautions to ensure these passwords are strong and not easily broken. If a hacker or some other individual with nefarious intent can access your system, he or she could potentially steal Protected Health Information (PHI).
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 covers numerous topics pertaining to cybersecurity. In fact, HIPAA even has a special Rule dedicated specifically for Electronic Protected Health Information (EPHI). Known as the Security Rule, it lays out guidelines that covered entities must follow to prevent unauthorized access of EPHI.
Conventional wisdom should lead you to believe that creating a strong password is a necessary element of HIPAA's Security Rule. Opting for a “convenient” password increases the risk of someone infiltrating your system and stealing a patient's health information. So, what measures does HIPAA recommend when creating a password for your healthcare facility?
The Security Rule states that all covered entities must establish guidelines for creating passwords and change them on a regular basis. In other words, as a covered entity, it's your responsibility to create specific guidelines regarding how your company's passwords are created. Furthermore, you must change these passwords during “periodic change cycles.”
“In addition to providing a password for access, entities must ensure that workforce members are trained on how to safeguard the information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles,” wrote the Department of Health and Human Services (HHS) in its Administrative Safeguards section of the Security Rule.
The HIPAA Security Rule doesn't say exactly how covered entities are supposed to create their passwords. Instead, it's generalized enough so that covered entities can use their own discretion. With that said, we have some password creation tips listed below.
Here are some tips for creating a strong password:
- Avoid using names, common words or phrases.
- Use a combination of upper-case letters, lower-case letters, non-sequential numbers, and special characters.
- Do not write or store your passwords in unencrypted format.
- Do not use a short password.
- Do not use reuse your password for other systems or accounts.