All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News


Keep up to date with Data Fast Solutions for your business.

HIPAA Password Security and Management

HIPAA Password Security and ManagementThe HIPAA Security Rule was established to provide national standards regarding electronic personal health information (ePHI). In relation to the security rule, administrative security standards were created to address different areas of concern in relation to ePHI. One important piece is password management which states “the covered entity must implement procedures for creating, changing, and safeguarding passwords.” The following information provides some guidelines in relation to the security standards for passwords.


Creating Complex Passwords

To create a strong password, use the criteria below.

  1. Passwords should not contain the user’s I.D. or account name.
  2. Sequential numbers, such as 1, 2, 3, 4, or sequential letters such as a, b, c, d, should not be used.
  3. Passwords should not contain common words or phrases.
  4. Passwords should not be your birthdate, nor your license number or social security number.
  5. A lowercase letter, upper case letter, and a number between 0 and 9 should be used in addition to a special character such as !, @, $, %, ^, &, *, (, or, ).

A password is only strong if:

  • The password is not shared
  • No one sees you typing the password
  • You log-out
  • You use a different password for every site and application you enter
  • You change the password on a regular basis
Changing Passwords

Having a system that prompts users to update their passwords every three months or so seemed like a good idea in the past. However, current data suggests that changing passwords too frequently can make them less secure. A blog written for the Federal Trade Commission, by Chief Technologist, Lorrie Cranor, “Time to rethink mandatory password changes” states that when users are required to change their passwords frequently, they often select weaker passwords leaving them more open to attackers. A good rule of thumb is to review passwords and storage of passwords on a yearly basis and create new ones based on complex password creation criteria at that time.

HIPAA Password Security and ManagementPassword Storage

With increasingly complicated passwords and different passwords for every site, storing passwords is almost always necessary to be able to remember them. However, the storage must be secure. Writing passwords on a piece of paper when it’s accessible to others is like storing passwords in your computer, or smartphone, without using encryption and both leave your passwords vulnerable to misuse.

Cloud based secure and encrypted password storage methods allow you to access passwords from multiple devices. However, the information is stored online and can be less secure. More secure methods are:
  • Using a password management software stored on your own computer
  • Using encryption software to create an encrypted folder on your computer to store passwords

After reviewing and updating less secure storage methods, it’s important to securely delete any current passwords stored elsewhere. This can be done using a shredding software to safely erase existing files.

Passwords are meant to safeguard data and the user from unscrupulous attacks. Following the guidelines above can help your healthcare organization implement, or update, password procedures to ensure your ePHI is secure. Data Fast Solutions is always available to help your company with any of your HIPAA compliant technology needs. As certified HIPAA technology experts, we specialize in all aspects of keeping your ePHI safe.

This article is ©2017 Data Fast Solutions • All Rights Reserved

Comments are closed.