Physician Practice

Q&A: You’ve got questions! We’ve got answers!

Physician Practice Insider, July 12, 2016

Submit your questions to Associate Editor Nicole Votta at nvotta@hcpro.com and we will work with our experts to provide you with the information you need.

Q: Some of our staff have complained that they have a difficult time remembering and creating passwords. I'm concerned that some staff may begin writing their passwords down. How can we discourage this?

A: There are techniques that staff can use to create strong passwords or passphrases that are easier to remember than a string of random numbers, letters, and characters. It needs to be clearly communicated that writing down passwords is not an acceptable practice. Let staff know that instead of writing down their passwords, they should try to create passwords that can be easily remembered. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.

Staff can also use passphrases instead of passwords. A passphrase is similar to a password in use. However, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks, which are brute force attacks using known words as found in English and other language dictionaries. Strong passphrases should follow the general password construction guidelines to include upper and lowercase letters, numbers, and special characters (e.g., TheTrafficOnThe101Was*&!$ThisMorning!).

The challenge is that staff have a number of personal and business accounts they need to keep track of passwords or passphrases for. Staff can create passwords that are specifically associated with their jobs instead of a password or passphrase that may have more meaning—and therefore be easier to remember—when associated with a personal account rather than their job. For example, an HIM employee may create a passphrase like Privacy&IAreTied@TheHip!

Nevertheless, staff will forget passwords. A process must exist to rapidly respond to staff who can't remember their login credentials. Staff need to know who to call if they forget their password and request a temporary password so they can continue to work efficiently. If staff know that if they forget their password it will be easy for them to recover it or create a new one, they are less likely to write passwords down.

Editor’s note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a Briefings on HIPAA editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.

Most Popular