Healthcare organizations take a variety of measures to safeguard patient protected health information (PHI). From managed security services to the thoughtful engagement of security best practices, keeping PHI safe is as vital as delivering the best quality care.
HIPAA (the Health Insurance Portability and Accountability Act) specifies a series of administrative safeguards under the Security Rule that pertain to password creation. It requires healthcare organizations to develop procedures for creating passwords and keeping them secure.
Over 80% of hacking-related breaches are due to weak or stolen passwords, according to the recent Verizon Data Breach Investigation Report, and over 70% of employees reuse personal passwords at work.
Password best practices were a hot topic throughout 2019. Major companies have come under scrutiny for their inadequate password practices.
Even though 91% of people are aware reusing passwords is not a good practice, 59% reuse their passwords at home and work making it a top priority for businesses to educate employees about password best practices.
For healthcare organizations, failure to keep passwords secure represents a violation of HIPAA which may result in costly fines. Avoid this by implementing these five best practices for password security that satisfy the Security Rule under HIPAA.
The 5 Best Practices for Password Security That Satisfy HIPAA Requirements
Passwords stay safe when they are strong and protected from exposure. That involves a combination of practices involving both password and device management. Security experts at RJ Young recommend that healthcare organizations:
1. Use Two-Factor Authentication
Two-factor authentication (2FA) has been around for about five years and was recognized as a password best practice in 2019. 2FA requires two security actions to prove a person’s identity. This includes entering a code sent via text message to a work-issued phone or using a specific physical object – like a key card – issued to an individual.
2FA prevents unauthorized access by people who have fraudulently acquired the login credentials of an account. While a hacker might gain a password from a successful phishing attempt, he or she will not have access to an employee’s key card or work-issued phone.
2. Randomize Passwords With a Mix of Characters
Most users choose passwords based on familiar words or objects, making them easy to crack. This happens because the password generation requires a mixture of letters, numbers, and special characters. Random strings are hard to remember, however by choosing a less random password, it becomes statistically more likely that the password can get cracked.
To best satisfy the HIPAA Security Rule with passwords, use a random password generator — these are harder to crack.
3. Limit the Devices Employees Can Log in to Accounts On
Secondary devices, like employee personal devices, are often compromised by undetected malware. They introduce a security risk into a HIPAA-regulated environment. Additionally, these devices don’t receive security monitoring and management like the rest of the network does. Therefore, they may be infected with keyloggers or other advanced security threats that can be difficult to detect.
Companies should also prohibit employees from logging into work sites on personal devices – while this might not work for all businesses, implementing a BYOD Security Policy can help. This keeps PHI firmly within a company, while also helping limit password exposure, malware attacks, and other security hazards.
4. Disable Password Autofill on Browsers
Password autofill is a convenient tool for managing personal passwords, but for a healthcare organization, it can be extremely dangerous. Many medical offices rely on tablets and other mobile devices or technology while in the office, which – while convenient – are easier to steal. If autofill has been enabled on a browser on the device, all confidential company information can easily be accessed.
Disable autofill on Chrome under the Advanced tab in the Settings window. For Firefox, the option is found under Options, Privacy, and the History heading. For Safari open the preferences window, select the auto-fill tab, and turn off all the features related to usernames and passwords.
5. Conduct Periodical Password Audits & Change Regularly
Password audits involve a review of the passwords currently being used by users. They are an excellent way to spot weak or duplicated passwords so users can change when necessary. Password audits also keep password security at the forefront of everyone’s mind, helping to promote a security culture that keeps patient information safe.
Change passwords at least every three months for non-administrative users and 45-60 days for administrative accounts. Be sure to change your password if you have shared it with another colleague for maximum security.
Managed Security Services Can Help Organizations Use Better Passwords
Password security has been one of the prevailing IT security trends over the past year. As longstanding practices like frequent password changes have fallen out of favor, professionals are discussing other ways to keep passwords safe in an environment with an ever-increasing number of security threats. In 2020, password security involves a combination of secure passwords and best practices to protect those passwords from unwanted exposure.
Managed security services can prove valuable for healthcare organizations striving for improved IT network security and password systems. These professional services deliver increased security across a network and help companies satisfy HIPAA’s stringent requirements. With a managed security service provider (MSSP), healthcare organizations can retain their operational efficiency while enjoying better intrusion detection and security protection.
RJ Young is an experienced security provider for companies in the healthcare industry. Start a conversation with RJ Young to discover how they can help secure your network.