Password Strategies as Part of Your HIPAA Compliance Plan

Posted by John Dimaggio on Jan 26, 2016 11:54:03 AM

In Password Strategies

There’s an old joke about passwords: 

During a recent password audit at our company, it was found that someone was using the following password:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofyColumbus

When asked why they had such a long password, they said that they had been told that it had to be at least 8 characters long and include at least one capital!

While it’s easy to laugh at the punchline, password strength and complexity is no laughing matter to a Compliance Officer. Passwords are one of the primary security breach points, and depending on level of access, can sometimes be the keys to the kingdom.

 Password Hackers and Crackers

 With the widespread availability of malware, botnets, and password cracking tools, the resources available to hackers have grown substantially, and the time required to try and infiltrate a system has reduced significantly.

 Some common Password cracking techniques are listed below: 

  1. Brute Force – Attempting to crack a password by trying as many possibilities as time and resources permit.
  2. Dictionary or Library Attack – Attempting to crack a password using an electronic dictionary list or list of commonly used passwords.
  3. Social Engineering – Gaining the trust of someone and getting them to give you access to their password. Methods may include Phishing and telephone calls.
  4. Malware – spyware that gets installed on a computer that monitors all keystrokes and reports back to the hacker.

 

Password Strategies 

Best Practice guidelines are to ensure your users create a password using a minimum of 8 characters, a mix of upper and lower case, numbers, and special characters, and to change your password every 90 days.

 There are a variety of methods to help create strong passwords that are still easy to remember, and HIPAA compliant:         

  1. Create a password using the first letter or last letter of a phrase and incorporate special characters - i.e. The quick brown Fox jumped over the lazy Dog! = TqbFjotlD! 
  2. Select a phrase and replace parts with abbreviations, special characters, and added punctuation -i.e. Four score and seven years ago = 4scr&7yAg0
  3. Combine words and replace letters with numbers and special characters - i.e., phones home = Ph0n3$hOm3)

 A well-structured and consistently enforced password policy can be the first and sometimes last line of defense on someone breaking into your system, your network, and/or your data. Be creative, and protect your organization’s information with our password strategies!

DO:

  • Create a strong password and change it regularly
  • Think in terms of pass phrases, abbreviations, and character replacement - do not use whole words
  • Use password complexity (upper and lower case, numbers, special characters)
  • Use different passwords for different accounts (personal bank account vs. Facebook)

DON’T:

  • Don’t use the same password for personal and business use
  • Don’t use easy to find information or combinations (birthdays, phone numbers, family names, etc.)
  • Don’t use common passwords:
    • Variations of the word “password” or “welcome”, 12345, 867-5309 (“Jenny”), references to the current season or year (i.e., Winter2016), “Qwerty”, etc.
  • When it’s time to change your password, don’t just change a single character or add one at the end (“Drumm3r” becomes “Drumm3r2”)
  • Avoid popular names, such as sports teams, mascots, etc. (i.e., Raiders, GoBucks) and anything Star Wars related.
  • Avoid using curse words or vulgar terms… they’re actually used quite commonly and usually are on the list of most cracked passwords
  • Don’t not use whole words that can be found in a dictionary

 BlueOrange Compliance has been providing privacy and security assessments, remediation and guidance since the inception of HITECH, and has over 50 years of experience in technology security, compliance and healthcare. Our national client base consists of hospitals, physician provider practices, LTC Pharmacies, SNFs, LPCs, homecare and hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.

 

 

Click to edit your new post...

Recent Posts

Topic Cloud

Popular Posts

CTA Area
© 2024 BlueOrange Compliance