HIPAA Nugget – New guidance on Passwords
Maintaining passwords in our current social media and electronic healthcare environment can be an overwhelming challenge. This is especially true for a healthcare business owner. Think about the number of passwords you use and how often they need to be changed. Electronic Health Record (EHR) providers may require you to change passwords every three months and may require special characters. The Medicaid website might not accept your special character, so you need a different password with different rules.
Many times when I am doing a practice assessment, I find passwords to access the computer or the healthcare software package taped to the computer or on the bottom of the keyboard. In today’s environment, this emphasizes the lack of security training in the staff. I also find spreadsheets on the manager’s computer called “UserID” or “Passwords”. This is a document that hackers will look for first in order to get access to bank accounts and such. The goal is to keep hackers from accessing your software and your practice information.
With access to your computer, hackers can also install “keylogger” software which records every keystroke on the keyboard. This can also give them user ID’s and passwords for even cloud based practice management systems. This was the case recently in a large San Antonio OB/GYN practice. Luckily they discovered it quickly and could verify that the EHR product was not accessed.
There was recently an article published that debunked the previous advise about password rules. The new advice is the same that I have been giving to our clients since last year, use a phrase for you password so you can remember it easily. The article published on NY.COM advised that you use a four word phrase versus the previous advice that a longer password including a lot of numbers you cannot remember. I recommend something like I love chocolate. Do not use your favorite sports team or any friend or relative’s name. You can add numbers to the phrase “1l0vech0c0late” by using “0” for “o” and “1” for “I”. If your phrase has an “s” you can use “$” instead.
Phrases like this are easier to remember and if you record a reminder of your password on your phone, you might only note “chocolate”. Also use an entirely different phrase for all your banking and investment websites than you use for your other internet activity and practice activity.
I also recommend a password storage program. As an owner, use a password storage
program that you set up for the staff to use. However, only you have access to the security questions in case someone changes the password on the program without your permission. There are several products on the market that do a good job with storage. Look for one that will allow you to use it on multiple computers and on your phone. You will want to be able to use it whether you are on your computer at work or at home.
In our current technology environment, hackers are going after healthcare businesses at a higher rate because, in healthcare businesses, security tends to be weak. You need to educate your staff in an ongoing process to develop a culture of security in your office.