Question: We are having a little disagreement in our office. How often should we change our computer and electronic health record (EHR) application passwords? Some of us say every month, while others are saying only every four to six months.
Answer: The short answer is that you should change your passwords quarterly. Users should change their passwords regularly and should be prevented from reusing at least their last two or three passwords, instructs the HHS Office of the National Coordinator for Health Information Technology (ONC).
You should ensure that your systems are configured so that passwords must be changed on a regular basis, ONC stresses. “By requiring passwords to change quarterly, you help prevent passwords from being discovered and used illicitly.”
Also, remember to ensure that staff members create strong passwords. According to ONC, strong passwords are at least eight characters long, and include a combination of upper and lower case letters, at least one number, and at least one special character like a punctuation mark.