Written by: J. David Sims, CHITSP, CHMSP, Managing Partner at Security First IT, LLC; Board Member with the American Institute of Healthcare Compliance; Podcaster, Speaker, & HIPAA Instructor; Help Me with HIPAA Podcast Contributor and Federal HICP 405(d) Task Group & HIC-TCR Task Group
Cybersecurity starts with the basics, such as appropriately managing passwords within your organization. The Health Insurance Portability & Accountability Act (HIPAA) requires access controls and password management, which requires a top-down approach within your organization. Whether you are a Covered Entity or Business Associate, handle it like a boss!
In a recent article by Joanne Byron, she discussed one of the biggest challenges with proper password management… password sharing! In this article, I’m going to introduce you to some ways that you can overcome this challenge in your organization.
First, let’s start by setting three ground rules that I use for cybersecurity:
Rule #1 – Security is not convenient
Rule #2 – Security is not optional
Rule #3 – Security should not unnecessarily hinder the user
Understand that by design, security is there to hinder or stop an action. Think of your house for a minute. I have a sign in my yard advertising that I have monitored security in my home. I also have an alarm system, a deadbolt, a dog, and a shotgun. All these things represent different levels of security and incident response. They all cost me money and they are all inconvenient in some way. To protect my family, my most precious assets, is not optional. However, I can’t make this level of security so inconvenient that it doesn’t work. Therefore, I’ve ensured that these levels of security do not hinder my family’s ability to quickly enter and exit the home.
Security is there to deter the bad guys and to keep out those who should not be in my home (like the in-laws ).
Passwords are just one layer of security for your electronic Protected Health Information and other digital assets. It is also a layer of security that is heavily dependent on the user… the human. The human must follow your password policy so that proper passwords are created and used in the correct manner. However, like a flowing river, humans will often find the path of least resistance (or create one) to get their job done.
Therefore, it is so important to train employees on your password policy, why passwords matter, what can happen when passwords are shared, and so on. Equally important is that the organization should take reasonable measures to make using passwords not a huge hinderance. Let’s take a look at some solutions to help your team be password ninjas!
Password managers are a fantastic tool for… you guessed it… managing passwords! I could not do without a password manager. At last check, I had over 1700 unique passwords stored in my password manager.
Password managers offer an array of other benefits and services but at its core, a password manager allows you to store all your passwords in a single, secure place. Instead of having to remember dozens or hundreds of passwords, the user only has to remember the one password that opens their password manager. Think of it as a vault for your passwords.
Another feature of most password managers that I love is the ability for me to share a password with someone without giving them the password. There are a few ways this can be used. I can set up a user account for someone and program their password into the password manager so that they can login to the application using their own credentials, and they never see the password. This ensures that a user can’t use their credentials outside of the office to access anything business related.
This is also very helpful for those websites that do not allow for multiple user accounts, but you still need multiple users to access it and use it. I see this often in practices where a business website only gives the practice a single account to use. The practice uses the same username and password for every employee that needs access to that website. Even worse, when employees leave the practice the credentials are not changed, which allows the separated employee to assess the site from anywhere.
There are several additional benefits of a good password manager application, so investigate one for your organization. They are well worth the small investment.
Whether you use a password manager or not, you still must deal with creating secure, unique passwords. Remember, you do not want to have the same password used more than once. Using the same password for everything is like having one key for your house, your car, your office, as well as all your past houses, cars, and offices. Oh, and the key has your name and address on it. Can you see how important it is to use different passwords everywhere?
Before we continue, it is important for you to understand that the bad guys aren’t trying to login to your online accounts typing in one password at a time hoping to get lucky. The bad guys use software automation and databases of passwords to throw at your accounts. This is called a brute force attack.
They know that most people are lazy and use terrible passwords. The most common password is 123456. You may laugh, but this password has been exposed in breaches more than 23 million times. It seems that no matter how terrible of a password it is, people still use it. For these people convenience is a higher priority than security. I wonder if these same people leave their car and homes unlocked… because, yeah… fumbling for a key is not convenient either.
Just a few months ago, the cybersecurity world learned of a leaked list of passwords called RockYou2021. This massive list of breached passwords and passwords from other sources comprises an impressive list of 8.4 billion unique passwords. 8.4 billion!!! Is there a chance that a password you use will show up on a list that size? Yeah, most likely. Unless you are one of the smart ones that use good password creation practices.
Since I’ve already mentioned password managers, it is worth noting that most password managers come with a password generator built-in that allows you to select a few criteria for your password and presto, it creates a password for you to use. Whether you’re using a password manager or not, here are some criteria to consider for your secure password:
Length is more important than complexity. Forever and a day we’ve heard that password complexity is necessary. Well, after years of research, we’re finding that all that complexity lends itself to creating other problems.
Many users fulfill this complexity requirement the same way by simply capitalizing the first letter of the password and adding a 1 or ! to the end. If I just guessed 25% of your password, you should be relegated to using a manual typewriter for the next month . Your password should be at least 8 characters (I prefer 12 to 16) minimum. The longer the password, the harder it is for software to crack it.
Change Is Good, or Is It?
Consider eliminating or reducing periodic password resets. We are also finding out that having people change their passwords too often means that they can’t remember them. I can often tell how many times someone has changed their password by how many exclamations they have at the end. Every time there was a password change, they simply added an exclamation.
If you are using secure passwords, there is no need to change them unless they become compromised in any way. However, knowing if they are compromised becomes super important and your organization should subscribe to services that monitor your accounts for compromised credentials. This brings us to the next point.
You Made the List! That Sucks.
Every password should be checked against known “blacklists” that include dictionary words, repetitive or sequential strings, passwords taken in prior security breaches, variations on the site name, commonly used passphrases, or other words and patterns that cybercriminals are likely to guess. Using a password that is on a Blacklist makes the password almost useless. Imagine if your home had one of those digital keypads for keyless entry. Now, imagine that there was a list floating around your town that had your home’s key code. How would it make you feel that thousands of strangers can easily walk right into your home if they desire? Using a compromised password is much the same.
You know those password hints you had to create to set up your bank account? Chances are, those answers are fairly easy to get by just paying attention to your social media accounts and what you share online. Heck, the answers may even be able to be socially engineered out of you.
When presented with these password hints and security questions… lie like crazy! What’s my mother’s maiden name? NunYoBitNess!
Get creative and have fun with it but remember you may need to use these answers at some point to recover or reset your real password, so you need to keep this information. I hate to keep coming back to password managers, but most of them also allow you to keep secure notes in your vault (it’s not just for passwords).
What Do You Have? What Do You Know?
Multi-factor (MFA) or Two-factor (2FA) authentication requires users to authenticate themselves using something they know and something they have.
2FA has been around for a very long time. If you’ve ever used an ATM machine to get cash, you’ve used 2FA. You used your card (something you have) and your PIN (something you know).
Using 2FA will likely require that you use an “Authenticator” app. There are many available but stick with the known companies like Google, Microsoft, Authy, etc.
I highly recommend using 2FA everywhere it is available. Even if someone has your username and password, it will be difficult for them to get past your additional authentication methods.
Wrapping It Up
Now that you know how to create secure passwords, how to store them safely, and how to manage them properly, you are ready to go out into the world and show everyone in your organization how they too can handle passwords like a boss!
Want More Information on HIPAA Compliance?
Help Me With HIPAA is the most popular, longest running podcast of its kind. Patient care starts from the moment a person entrusts you with their personal information. Join Donna and David each week as they deliver HIPAA and humor in a way you've never experienced. Who says learning can't be fun? Not us!
Train Online in HIPAA Privacy & Security Compliance – Click Here for more information.
Only need short refresher courses or targeted training? Check out the AIHC HIPAA short courses.