Most everybody is familiar with the famous TV Show ‘Password’ and remember the famous line “And the password is…” A fun and exciting game show of trying to guess the secret password in order to win money. Today’s attempt in trying to guess passwords has become much easier and can allow access to information and detail that can dramatically impact organizations as well as individuals. A recent review of the most ‘hacked’ passwords by SplashData has provided the top passwords that were hacked in 2014. These passwords are easy to get access to the information they are protecting:
Top 10 Hacked Passwords in 2014
- 123456 (number 1 for the past 2 years)
The good news – these passwords are thought to only make up about 2.2% of the total password population.
Password management is the number one line of defense when it comes to protecting patient information stored on a computer, on a server, in an electronic health record, or in any system where protected health information is stored. Effectively putting strategies and management processes in place to manage passwords in a healthcare organization or business associate is a necessity for adequate protection of patient information. Here are 6 simple ideas to help effectively manage passwords in a healthcare organization:
- Enforce the Use of Strong Password. A strong password at a minimum consists of 3 or 4 of the different elements – Uppercase Letters, Lowercase Letters, Numbers, and Symbols.
- Requirement of Specified Length of Password. Requiring a specific length of a password can help reduce the ability to ‘guess’ a password – 7 to 8 characters in length is a good practice to implement.
- Require that Passwords are Changed Regularly. Passwords needs to be changed on a regular basis. Best practice within healthcare is to change all passwords (Operating System, EHR, Administrative, etc.) every 120 to 180 days.
- Ensure that Workforce Members Do No Write Passwords Down. Train workforce members to never, ever write passwords down. While it is tempting and people might not think that a password will be found if hidden in a secret spot, it is important that passwords are never written down unless the organization creates a secure process for documenting passwords.
- Implement Lock Out of Systems After Specified Number of Incorrect Passwords Entered. It is important that if someone fails a login a specific number of times in a short period, that the system suspends the ability to log in or requires the user to come back at a later point in time to attempt the login process again. This will deter unwanted guessing of passwords and provides an added safeguard in the “guessing” game.
- Educate Workforce Members on Password Management. Educate, educate, educate, educate. Workforce members need to understand the importance of passwords and the intent of why they need to be protected to assure unauthorized access into the healthcare systems. With proper education, workforce members will understand the need to protect passwords, and ultimately protect patient information.
While these are very simple processes, more detailed and secure methods of authentication exist that can remove some of the risks to healthcare organizations; however, they don’t come without time and cost to manage. With simple steps, healthcare organizations can more effectively oversee how passwords are created, managed, and safeguarded within a healthcare organization. Don’t get caught having someone guessing passwords, take the proper steps to manage passwords within an organization.