Why Strong Passwords Are Important

Passwords are an early line of defense in protecting your patient data. And yet, many practice employees don’t create strong passwords.

 The most common reason people give for using of simple passwords is ease of use, says Katie Lay, of HIPAA Risk Management, a HIPAA security consulting company, and co-author of TMA’s publication, HIPAA Security: Compliance and Case Studies . “As we see more and more stories of businesses having user accounts breached, the importance of enforcing a strong password policy becomes evident,” she said.

 Strong passwords will generally require: 

  • A minimum of eight characters, 
  • A capitalized letter, and 
  • A number or symbol (1, 2, 4, or $#@!).  

“One method we suggest is for the user to use a familiar phrase,” says Ms. Lay. For example: “myWifelikescoffee2”. Simple sentences can be easier for the user to remember, and with the addition of the number and the capital letter, formulate a strong password.

An addressable standard under Security and Awareness Training, 45 CFR §164.308(a)(5), is Password Management, 45 CFR §164.308(a)(5)(ii)(D). This standard outlines the implementation of procedures for creating, changing, and safeguarding passwords.

You can find a breakdown of this standard in the Department of Health and Human Services HIPAA Security Series: Security Standards: Administrative Safeguards (PDF).

“As always, your systems are only as secure as your users make them,” says Ms. Lay. Requiring strong passwords is one simple way to protect yourself from an avoidable breach.

For more helpful information on security standard implementations and elements of a comprehensive HIPAA compliance program, HIPAA Security: Compliance and Case Studies is available in the TMA Education Center.

In addition, Ms. Lay will teach a live seminar for TMA. HIPAA Security: The Keys to Compliance will run Sept. 9 through Oct. 1 in cities around the state; you can register now. Can’t make it to a seminar? You can register for a live webcast of the seminar on Sept. 25, 9 am-noon (CT).

Find more HIPAA news and tips in the TMA HIPAA Resource Center

Published Aug. 26, 2014

TMA Practice E-tips main page


Comment on this (Must be logged in to comment)

Add Comment

Text Only 2000 character limit

Looking for more?