Password resets
HIPAA Weekly Advisor, June 9, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: How can we reduce the number of calls to our help desk requesting password resets, and how can we feel safer about the caller when we do reset a password?
A: This seems to be a big problem just about everywhere. It is a classic setup for "social engineering" in which a person trying to break into the system takes advantage of personnel vulnerabilities instead of technical ones. Someone calls the help desk and insists on having a password reset, but may not be the person he or she claims to be. Unfortunately, there's no perfect solution. But there are ways to improve the situation.
Organizations that emphasize strong password management-see the June 3 HIPAA Weekly Advisor for tips on making up and remembering good passwords-through frequent user training are likely to have fewer calls.
Also, if the organization has strong password standards, promotes user education, and runs password crackers, allowing users to voluntarily synchronize their many passwords can be very effective at reducing calls.
It's a bit risky because, if that one password is compromised, all access associated with that person is jeopardized. However, security is often about trade-offs. This approach is also much less costly than implementing a single sign-on solution.
Of course, this approach assumes that users can change their own passwords at will, and not all systems allow users to do that or even to set their own passwords when they expire.
Work with your vendors or seek alternatives for systems that don't permit users to set and change their own passwords. These fundamental security features should be available.
Using an automated voice response system for password resets can also be effective. This takes a burden off of the help desk, but it also requires enrolling users and having them provide "secrets, " such as the name of a user's first grade teacher, that can later be used to authenticate the caller.
Obviously, if users leak the secrets there isn't much security. Also, keep in mind that personal information such as birth date or car model isn't really secret. Make sure you closely examine the design and implementation of such a system.
Editor's note: Excerpted from the August 2002 issue of Briefings on HIPAA and answered by Kate Borten, CISSP, president of The Marblehead Group, Inc., a national security and privacy consulting firm focused on the health care industry. If you have a question for her, e-mail "HIPAA Weekly Advisor" editor Brian Driscoll at bdriscoll@hcpro.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched