Like most situations involving users and security, there is always a tradeoff between ease of use and security. To comply with the HIPAA Security Rule and with industry best practices, user names and passwords should be frequently changed, be hard for anyone to guess and not be shared with any other employee. But sometimes, in the course of normal operations, users defeat security operations. We have had users complain that usernames and passwords are hard to remember, and we have even been requested to remove them completely because it’s too much trouble.
Is it too much trouble to unlock the front door each morning, or the drug cabinet within the facility? After all, you have to access those repeatedly as well.
Good user names and passwords — characterized as being “strong” — should be a combination of at least 8 letters and numbers, plus at least one symbol (like $, # or !). The following should never be used:
- Any word that can be found in any dictionary
- Name of your pet, child or spouse
- Any common medical term like “nurse station” or “front desk”
It is always a good idea to review user names and password policies with your HIPAA security officer. Don’t have a HIPAA security officer? Better read Sections 160, 162 and 164, Federal Register CFR 45, Department of Health and Human Services.
Marion. Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
