Do you know where your passwords are?
The HIPAA Security Rule, 164.308(a)(5)(i) states, a covered entity or business associate must, in accordance with 164.306:
Implement a security awareness and training program for all members of its workforce (including management). Furthermore, this program must include an appropriate implementation for (ii)(D) Password Management. Procedures for creating, changing, and safeguarding passwords.
What is Password Management?
Password management involves creating or generating complex passwords that are not easily cracked, regularly changing passwords, and intentionally safeguarding passwords from being stolen. Good password management includes never using the same password across multiple websites, enabling multiple factors of login validation (authentication), and never posting or sharing your passwords.
Why are complex passwords important?
Besides fulfilling a HIPAA Security Rule standard, creating complex passwords is good cyber hygiene. Complex passwords reduce the risk of becoming a victim of an account compromise that could lead to a data breach. The more complex the password, the more difficult for an attacker to crack it. However, a complex password alone is not enough. According to FBI statistics, strong authentication could have prevented 62% of data breaches in 2015.
What is ‘strong authentication’?
Strong authentication implements multiple factors of login validation, such as a complex password and a unique one-time code or fingerprint. Many websites and services offer strong authentication options. Adding this extra login step significantly reduces the risk of having your credentials compromised.
What IS a complex password?
– Generally considered greater than 15 characters
– Random combination of letters, numbers, special characters
– Nonsensical phrases randomly combined with other characters
What is NOT a complex password?
– Names of important people, places, pets, etc.
– Important dates
– Anything you might write about on social media
What other password management procedures should you implement?
– Create or generate unique complex passwords for each website
– Use a password manager to generate and store complex passwords
– Enable multiple factors of authentication whenever available
– DON’T post or share your passwords