Passwords have become the primary mechanism by which many people prove their online identity so as to communicate, bank, shop, and use their electronics. This can be a good thing – easier access to information is usually positive. When it comes to protecting sensitive information however, people need to be increasingly careful with what they choose as a password.
The rise of online information storage has created new risks – anyone looking to gain access to your sensitive information just needs to acquire your password. For covered entities, strong passwords are essential to protecting client’s personal information, and to remaining HIPAA compliant.
HIPAA Administrative Safeguards outlines the need for password security in several locations including Administrative Safeguards 164.308(a)(1) and 164.308(a)(5). Password security is an important element of a HIPAA Risk Analysis, as poor passwords are a huge factor in the vulnerability and availability of electronic protected health information. Additionally, password security should be an important topic in Security Awareness and Training for a covered entity’s workforce.
Health Care providers and organizations need to be aware of best-practices and options for creating strong passwords in order to protect their clients and their practice. Here are some guidelines on how to create strong passwords:
- Your birthday? Your dog? Your dog’s birthday? Don’t do it! Anyone looking to hack your password can track down and guess these passwords. Any information that is easily accessible via social networking posts or searches should not be used to create your password!
- Longer is better. The latest and safest trend in passwords are actually whole phrases – passphrases. Strings of words or sentences are harder to guess, making them stronger passwords. Think about how much harder “thisisapassword” would be to guess than “password”.
- Turn your password into something enjoyable, catchy, and memorable. The key to this is to use a passphrase that tickles you, as noted above, instead of complicated and hard to remember set of unintelligible characters. Not only are catchy passphrases harder to crack, but they are also easier to remember, and remove some of the stress of having to remember many different passwords for different systems. An example: D3lli@4 is hard to remember, but AggressivelyBaldingEagles is actually a much safer password, and is inherently catchier.
- Add capital letters, symbols, and numbers. Some passwords using symbols and numbers are no longer effective (think “P@ssw0rd”, seriously, if it is not hard to guess don’t use it). Adding symbols, numbers, and capital letters to an obscure password or passphrase, however, can be very effective!
Once you have created a strong password, your job is not done. To preserve your information’s security, you need to make sure you are using that excellent password or phrase securely. Here are some tips on making sure that your newly created strong password does not end up in someone else’s hands:
- Use different passwords for different accounts. This can be challenging, because we have so many accounts that we use passwords for, but it is still vital to protecting information. If one of your accounts gets hacked, you don’t want the hacker to be able to access all of your accounts. If you are worried about keeping track of passwords, look into your organizations’ policy on password manager programs, which securely store and track your passwords for you.
- Don’t share that password! This seems like a no-brainer, but it still happens all the time. Even coworkers or friends should not know your password, and if you are worried that someone knows it, change the password as soon as possible.
- Don’t use public computers to log into accounts that contain sensitive or financial information. These computers could contain hidden code that records your keystrokes, so be sure you only use trusted computers and mobile devises to check any protected health information or personal financial information.
- Make sure that if you or any of your staff stop using an account that it is closed or deleted! There is no need to leave a potential hole in your administrative safeguards after being so careful with your password and information security!
Remember, as a covered entity or business associate of a covered entity, remaining HIPAA compliant and preventing data breaches means being extra vigilant and precautious. This how-to guide for creating stronger passwords will help you on your way to better protecting information.
If you have more questions on protecting health information, please contact us before your firm suffers a data breach. EMRSoap’s HIPAA Compliance Consulting services can get you on the way to being safe, secure, and compliant!