Don't Let Weak Passwords Lead to a HIPAA Breach

As information security threats against the healthcare industry continue to proliferate, it's more important than ever to train all employees to practice good security hygiene. Adopting a culture of good password habits is one of the simplest steps your organization can take to prevent a data breach. Unfortunately, it is common for employees to use the same simple password for multiple websites. The easier a password is to remember, the easier it is to hack. A hacker could potentially use employee credentials to gain access to your broader system. In a healthcare setting, where login credentials could potentially lead to a HIPAA breach, bad passwords can have huge consequences.  Putting a policy in place regarding password strength and security protects your employees, patients, and practice from the consequences of a data breach. A password policy can be included in your information systems access policy, employee agreements, and/or a specific password management policy. Here are a couple of things you might want to include:

1. Require that employees change passwords frequently to avoid dark web compromises. Cybersecurity experts recommend that passwords be changed every 60 to 90 days. Most applications and platforms will allow you to prevent employees from reusing old passwords as well. Additionally, concider using a dark web monitoring service, which will alert you if any employee credentials show up on the dark web, so that compromised logins can be changed ASAP.

2. Ask that employees use random and complicated passwords. Set specific requirements for password strength. Passwords should be long and include complex characters. For example, you could require that employee passwords are at least 10 characters long, and include at least one uppercase letter, one lower case letter, one number, and one symbol. 

3. Require that employees use a unique password for each platform they access at work. Additionally, any password used for an employee work account should not be shared with other personal accounts (Gmail, Bank Accounts, Amazon Account, etc.)

4. Consider asking that employees use a password management tool, so that no one ends up storing passwords on sticky notes at their desk or on unsecured files, like a Microsoft word document.

It’s important that your employees understand that these protections are necessary for the organization to avoid security breaches. It might seem like an inconvenience, but it is nowhere near as painful as dealing with a data breach and the resulting HIPAA violation.

A strong policy program is the backbone of HIPAA compliance. Medcurity can help with your Security and Privacy Policies.