Mitigating Cyber Risk — Passwords
Hackers can gain access to your data by capturing or guessing the passwords used by your practice's employees.
Hackers can gain access to your data by capturing or guessing the passwords used by your employees. Despite warnings about the dangers of easily identifiable passwords, many people still use birthdates, children’s names, other personal information, or even sequential numbers (“12345678”).
To reduce this risk, train employees to do the following:
- Avoid using the same password for multiple accounts.
- Don’t use a variation of a prior password when creating a new one (e.g., “FuzzyDog1,” “FuzzyDog2,” “FuzzyDog3,” etc.).
- Avoid simple words found in the dictionary. Hackers use sophisticated programs that crack passwords.
- Don’t use names or things that could be identified from your social networking accounts (your pet’s name, children’s names, hobbies, anniversaries, alma mater, etc.)
- Memorize passwords. If a password must be written down, only write one portion and commit the other portion to memory.
- Consider using pass phrases of at least eight characters instead of passwords. Pass phrases are easier for users to remember, yet more difficult for hackers to decode (e.g., “81PurpleBagels!” for graduation year, favorite color, and favorite food).
- Intentionally misspell words (“Greeen” instead of “Green” or “Datte” instead of “Date”).
- Use both uppercase and lowercase letters (“GreEn” or “DaTe”).
- Use special characters (“Green!”). Some sites restrict what special characters can be used, but use them whenever possible. Cracking programs know common letter replacements, so avoid the obvious ($ for S, 3 for E, 1 for l).
- Combine words, special characters, and numbers (“GreEn!1920”).
To further reduce your risk, consider the following system controls:
- Require that passwords be updated every 90 to 120 days.
- Lock users out after three failed login attempts and allow only an administrator to restore access.
- Limit EHR accessibility with user authentication/credentialing (e.g., user id and password).
Your practice can also use a password database, a program that allows an employee to establish a master password that manages all other passwords. Many password databases can be downloaded as a plugin for common web browsers. Though one vulnerability is the risk of a hacker discovering a master password, thereby exposing the entire network, a password database is generally the most secure way to prevent compromised passwords.
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.