• E-mail
• Print
• RSS

TIP: Ensure good, strong authentication for every device

HIPAA Weekly Advisor, July 26, 2010

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Editor’s note: This is the sixth in a series of tips in HIPAA Weekly Advisor on laptop security. The excerpts are courtesy of the HCPro, Inc. newsletter, Briefings on HIPAA.

Password-protect laptop computers and make sure they lock after a period of inactivity, if possible, to prevent access to ePHI if equipment is misplaced or stolen, says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD.

He recommends using dual-factor authentication whereby users must supply two forms of identification. This increases assurance that the user has authorized access to the laptop computer and also makes it more difficult for an unauthorized individual to use a lost or stolen computer. Dual-factor authentication requires a password or unique user ID with at least a token, ID card, or piece of biometrics data, such as a fingerprint or face geometry.

Strong passwords are essential, says Ali Pabrai, CISSP, CSCS, CEO of ecfirst, Inc., and CEO and cofounder of HIPAA Academy in Newport Beach, CA. Many organizations do a fairly poor job of password management, he says. A password should be a combination of alpha and numeric characters to ensure that it is not the same as the username. Industry best practices dictate that passwords should contain at least seven characters in length and organizations should require staff members to change passwords every 90 days, he says.

He warns that many password-cracking systems exist so individuals should not use a word found in the dictionary or a word spelled backwards as passwords.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive