Password management is an important part of any security strategy. For HIPAA compliance, password management is an important part of HIPAA policy. It's PART of the policy.
If you're a HIPAA-covered entity, you need to have stringent password control. It's not optional, as you must keep protected health information secure.
For all other businesses, I HIGHLY recommend it. These policies and suggestions for passwords are relevant to any business—from a one-person company based out of a home office to the largest corporations in the world.
A Policy For Your Organization
- All passwords must be changed at least once every 90 days.
- All production system-level passwords must be part of the Security Officer's administered global password management database.
- User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user.
Selecting Strong Passwords
Strong passwords have the following characteristics:
- Be at least 8 characters in length
- Be a mixture of letters and numbers
- Be changed at least every 90 days
- Be different from the previous 6 passwords
- Not contain the user's user ID
- Passwords must not be inserted into email messages or other forms of electronic communication
Note that poor, weak passwords have the following characteristics:
- The password contains less than 6 characters
- The password is a word found in a dictionary (English or foreign)
- The password is a common usage word such as
- Names of family members, pets, friends, co-workers, fantasy characters, and so on
- Computer terms and names, commands, sites, companies, hardware, and software
- Birthdays and other personal information such as addresses and phone numbers
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, and so on
- Any of the above spelled backwards
- Any of the above preceded or followed by a digit (for example, secret1 or 1secret)
Further, systems that authenticate must require passwords of users and must block access to accounts if more than three unsuccessful attempts are made.
Members of the workforce must follow these guidelines for passwords:
- Don't reveal a password over the phone to ANYONE
- Don't reveal a password in an email message
- Don't talk about passwords in front of others
- Don't hint about a password in front of others
- Don't hint at the format of a password, like, “my family name”
- Don't reveal a password on questionnaires or security forms
- Don't share a password with family members
- Don't reveal a password to co-workers
- Don't “hide” a password within view at your work area, on a badge, or under a mouse pad or keyboard
If someone demands a password, refer them to your HIPAA compliance procedures or have them call your information security officer/department. Additionally, workforce must not write passwords down or store them anywhere in their office or on a badge. Further, passwords must not be stored on any computer system (including smartphones, tablets, or similar devices) without encryption.
Procedure: To validate that password policies are being followed, review the Security Assessment report and also determine if passwords are set to never expire.
Training Considerations: End users should be trained to avoid common tricks that hackers and others may use to get them to give up their passwords.
Social engineering tricks are used by hackers to gain access to systems through trickery – both with technology and by taking advantage of human nature. Read about how Social Engineering Has Been Defeating Security Measures for Thousands of Years here.
Phishing scams are common in email. Here are some tips to share with users to protect themselves and your business from phishing scams.
When you do train, don't just go through the motions – explain WHY things need to be done a certain way. We explain why you should here.
