HIPAA TIP: Passwords

Weak passwords are the weak link in the chain – and easily guessable by hackers. Think about it: my name, my address, kids’ or pets’ names, part of or all of my date of birth. How much personal information am I giving up in just my password, and worse, how often am I using the same password?

The longer the password the better! Passphrases are much better to use and much harder to crack: !ratherbee@thebea6H – still using upper case, lower case, special characters, numbers – if the systems allow this.

For all operating systems and applications containing electronic Protected Health Information (ePHI) or sensitive data, your organization needs to have password policies: required length of the password, how frequently the password needs to be changed, what is the restriction on reusing the last several passwords, how many failed login attempts before a user is locked out of the system. These policies aid in securing the sensitive data and ePHI that is stored within the systems or applications.

The HIPAA Rule addresses password requirements as part of its regulations: implementation specifications for the level of security organizations need to protect ePHI from potential threats, whether through passwords (and the policies and procedures around them), or something only identifiable to the individual, such as a key or smart card, fingerprint or facial image.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.

Leave a Comment