Our hospital has standards for choosing strong passwords, but is that enough?
HIPAA Weekly Advisor, August 26, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: Our hospital has standards for choosing strong passwords, but is that enough? How can we be sure they're being followed?
A: That's a good question. Although setting standards is an important step, usually it is not enough. Also, take the following steps:
1. Make sure every staff member with computer access knows what the standards are. Setting the expectations and explaining them should be part of the organization's standard training program, reinforced through the "periodic reminders" described in HIPAA's proposed security rule.
2. Enforce the rules at the operating system, database, and application levels-wherever users log on. Most systems include a parameter specifying the password's minimum length. Be sure it's set properly and audit for any change to that parameter. Some systems allow the administrator to require that a password contain at least one letter and one number. Use whatever password-related technical controls are available and fit your standards.
3. Run password-cracking software. It's readily available for some systems such as Unix and NT, and it's not just for the hackers. Authorized staff typically system or security administrators-should run this software periodically and cautiously to identify weak passwords. Contact staff who have chosen easily-cracked passwords and require them to change their passwords. Educate these employees on creating more secure passwords.
Editor's note: Excerpted from the upcoming August 2002 issue of Briefings on HIPAA and answered by Kate Borten, CISSP, president of The Marblehead Group, Inc., a national security and privacy consulting firm focused on the health care industry. If you have a question for her, write to "HIPAA Weekly Advisor" editor Brian Driscoll at bdriscoll@hcpro.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched