Passwords are an early line of defense in protecting your
patient data. And yet, many practice employees don’t create strong passwords.
The most common reason people give for using of simple
passwords is ease of use, says Katie Lay, of HIPAA Risk Management, a HIPAA
security consulting company, and co-author of TMA’s publication, HIPAA Security:
Compliance and Case Studies . “As we see more and more stories of businesses having user
accounts breached, the importance of enforcing a strong password policy becomes
evident,” she said.
Strong passwords will generally require:
minimum of eight characters,
capitalized letter, and
number or symbol (1, 2, 4, or $#@!).
“One method we suggest is for the user to use a familiar
phrase,” says Ms. Lay. For example: “myWifelikescoffee2”. Simple sentences can
be easier for the user to remember, and with the addition of the number and the
capital letter, formulate a strong password.
An addressable standard under Security and Awareness
Training, 45 CFR §164.308(a)(5), is Password Management, 45 CFR
§164.308(a)(5)(ii)(D). This standard outlines the implementation of procedures
for creating, changing, and safeguarding passwords.
You can find a breakdown of this standard in the Department
of Health and Human Services HIPAA Security Series: Security
Standards: Administrative Safeguards (PDF).
“As always, your systems are only as secure as your users
make them,” says Ms. Lay. Requiring strong passwords is one simple way to
protect yourself from an avoidable breach.
For more helpful information on security standard
implementations and elements of a comprehensive HIPAA compliance program, HIPAA Security:
Compliance and Case Studies is
available in the TMA Education Center.
In addition, Ms. Lay will teach a live seminar for TMA. HIPAA Security: The Keys to Compliance will
run Sept. 9 through Oct. 1 in cities around the state; you can register now. Can’t make it to a seminar? You
can register for a live webcast of the seminar on
Sept. 25, 9 am-noon (CT).
Find more HIPAA news and tips in the TMA HIPAA
Published Aug. 26, 2014
TMA Practice E-tips main page