Website Passwords Can Give Easy Access to ePHI

NetgainCybersecurity & Compliance, Healthcare IT

 

We all login to many websites. Online banking, social media, and shopping and news sites are just a few examples. Chances are we even created accounts on now long-forgotten websites. And, like many other people we used the same, or only a few different usernames and passwords. And worse yet, we may have used the same login credentials as we use at our place of work. That is a problem—others can gather our credentials from less protected sites to gain access to our sensitive healthcare data. It happens all the time. Exploiting human behavior to defeat security safeguards remains the leading cause of breach.

To protect ourselves from this vulnerability with healthcare data, an individual must follow their organization’s policy. And, it’s the organization’s duty to set and enforce the policy.  Below are three necessities that need to be included in a password policy and immediately enforced to minimally protect your vital data.

  1. Use a different password for each online resource. Never include the site’s name in your password and never use your work credentials on any website or other computer system. We often have other work resources to log into, whether it be a hospital system, lab software, or a billing and coding provider. Again, these should all use different credentials.
  2. Create “strong” passwords by using at least 8 characters that are a combination of uppercase and lowercase letters, numbers, and symbols. Do not use personal information like birthdays, family member names, or a favorite musician. Avoid any word found in the dictionary.
  3. Memorize passwords. Never store passwords in a text document or write them down.

When implementing these changes staff members will grumble and senior leadership will ask for exceptions, but remain firm. Remind them that it’s our duty as custodians of our patients’ health data to protect it to at least the minimums as set by HIPAA. Remind them that the three necessities above are considered common practice, and by not using them we can be cast as careless. If they are still reluctant, consider using a password manager.

A password manager is often shareware and is basically a secured central repository for all of our passwords that is accessed by a single password. Thus we only need to remember a single, strong password. Some inexpensive versions can auto-fill login information so we won’t have to reenter passwords each time we visit a website.

Adhering to HIPAA password guidelines is an ever-changing responsibility. There are many different flavors and features to the password manager products out there, with both free and paid versions available. The main benefit of a password managers is having a secure, encrypted, and central storage place for all of your passwords. The passwords are stored and protected by one main password, so this is the only one you truly need to remember. Many of the password manager programs will plug-in to your web browser and autofill your password for you, or automatically add new passwords to the database as you register on new websites.

The automatic management of your passwords means you never really need to know your password, making it easy to have strong and secure passwords such as Gkjh%894H*fe6900. Some have features to automatically generate strong passwords, or tell you if you are using the same one on too many sites. Password managers are either standalone vaults on your local computer or cloud-based. The cloud-based products offer a password sync feature, which is a nice feature that appeals to many users. When using password sync, you can register on a new website using a specific device like your computer and the registration information will be synced to and automatically updated on all of your other devices.

For more information, check out LastPass, 1Password, and Password Safe. They are the ones we recommend based upon different client need. Tip: LastPass is perhaps the most popular because it’s feature-rich and cloud-based. If you need help defining your needs and matching them to a solution, reach out to your Netgain Account Manager, or Charles Killmer, Netgain’s Security Officer.

Password managers are a very cheap way to increase your security while relieving our employees from the pains of following our policy.

As an endnote, let us know if you need assistance with establishing a security policy or achieving HIPAA ePHI compliance. We are happy to review your policy and make a no-charge summary gap analysis for you.