Passwords are a part of everyday life for most of us. This is especially true for your medical practice, where you are expected to not only keep your information safe but the personal information of your patients safe as well. In fact, the HIPAA password requirements are the crux of a significant number of violations each year.
One option to help you better manage your passwords, is to incorporate a password manager. Even there are HIPAA password requirements, the rule does not mandate that you utilize a password management program. However, the HIPAA Security Rule (45 CFR § 164.312) clarifies that you must restrict access to patient information to only those employees who need it to do their jobs.
Note: The National Institute of Standards and Technology (NIST) publishes security compliance related to HIPAA password requirements. NIST’s most recent recommendations for implementing the HIPAA Security Rule are from 2008. The Agency is in the process of updating these guidelines with a draft proposal posted online. The comment deadline for the changes has passed, but the new guidelines have not yet been published.
When deciding how to manage your practice’s passwords compliantly, there are several essential elements to consider to ensure you are meeting HIPAA password requirements:
Using a Password Manager HIPAA password requirements
One of the primary problems with passwords is keeping track of them. Not only of their initial implementation but for each time your password changes. This is where a password manager can be a serious benefit.
Password managers do exactly what you think; they help you manage your numerous passwords, among other related functions. These programs can store all of your passwords in one secure place. So instead of having to keep track of what seems like hundreds of passwords, you only need to remember one.
Even though there are HIPAA password requirements, the rule does not require that you utilize a password management program. Instead, the HIPAA Security Rule (45 CFR § 164.312) clarifies that you must restrict access to patient information to only those employees who need it to do their jobs.
One key function that of a password manager is that it can help you control who is accessing what data. It allows you to grant employees access to password-protected information without actually exposing their passwords. This feature not only limits employee access to necessary patient information it requires that the data only be accessed from inside your office.
IMPORTANT: Giving your employees access to all of your passwords can result in a severe HIPAA access violation. Only give access to your password manager to one or two key employees to ensure you grant access to patient information only when needed.
There are numerous password management options available that meet HIPAA password requirements. To determine the best one for you, consider making a chart with the essential options you are looking. This will make it easier for you to compare and contrast each option. Here are several popular password managers you may find helpful. This is not an exhausted list, but it will get you started.
Note: Healthcare Training Leader does not endorse any of the password managers listed above. It is essential that you do your own due diligence before deciding which one is best for your practice.
Creating Secure Passwords
Whether you implement a password manager for your practice or not, your passwords still must be secure and unique. Don’t make the mistake of using the same password over and over again, no matter how hard to “crack” you think it is.
The passwords you choose have a critical job. They are the one thing standing between you and the hackers trying to get in. Hacking into medical information is big business. It isn’t just one guy sitting in a garage anymore. Now hackers are using sophisticated software automation and databases of passwords. They use these tools to push hard against your accounts (this is called a brute-force attack). Having just one password makes it easier for hackers to access your data – leaving you exposed to violations related to HIPAA password requirements.
Be sure not to trade security for convenience (i.e., one password, easy-to-remember passwords, etc.). This is another good reason to utilize a password manager. Many managers include a password generator to help keep your passwords unique and ensure that they are difficult to hack.
Here are several additional items to consider that can help you protect against hackers breaking into your accounts or from holding your data hostage and to comply with HIPAA password requirements:
- Length vs. Complexity: Research has shown that the length of your password makes hacking into your account more difficult than its complexity. If you are setting your own passwords, be sure they are a minimum of 8 characters (but 12-16 is better).
- Change is Not Necessarily Good: If you change your passwords every month, you may be increasing your risk, not decreasing it. If you set a highly secure password right out of the gate, changing it shouldn’t be necessary (unless you have a breach, of course).
- Honesty Not the Best Policy: Security questions are regularly used as an extra layer of protection when setting up a password. These range from “Where did you go to high school?” to “What is your favorite color?” Remember that hackers are clever. If you tell the truth when answering these questions, hackers may be able to find correct answers to your security questions by simply accessing your Facebook or other similar accounts. So, the best way to answer these security questions may be to lie. But be careful. You may need to know these answers in the future, so be sure to security document them.
For more detailed HIPAA advice to help you ensure your practice is compliant and protected, check out Healthcare Training Leader’s related online trainings, blog articles, and free online resources.
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|