Tech & Innovation in Healthcare

Tip: Here’s why you want to make sure you’ve got 2FA turned on.

With cyberattacks on the rise, is your practice safeguarding its assets — and patient data? Even though healthcare continues to be a perennial target for hackers, the right password controls can address potential risks. Read on for the details.

Add This Username Insight to Your IT Checklist

The best usernames allow IT staff to identify individuals easily. In fact, usernames are often standard and don’t allow for much differentiation by the individual employees.

“Usernames at work aren’t usually up to the individual; they’re set by the IT department and they usually follow a common standard such as ‘first_initial.’‘last_name,’ but you can take steps to keep your work username more secure by using it only for work,” advises Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst, with Security Metrics in Orem, Utah.

“Username formats should meet a corporate standard for consistency, but should not be considered confidential information,” agrees Adam Kehler, director of RSP Healthcare Services with Online Business Systems.

The format should essentially promote easy identification and allow IT to quickly assess who should or should not be accessing practice data. Moreover, if a data security issue does arise, IT staff can quickly identify the account involved and do damage control on the incident.

Tip: Don’t mix work with pleasure. It’s a good idea to use different usernames for your home accounts versus your work ones. Separating your work tech from your home tech not only protects patients, but it protects you, too.

Here’s why: “If you use your work email as an account name, chances are good you’ll be tempted to use your work password as well,” Stone warns. “Then, when ‘Flower Sparkle Games’ is hacked, the hackers not only get access to your game, they also get access to your work account.”

Set Reasonable but Strong Password Protocols

In recent years, password security has become a hot topic in healthcare as unauthorized access continues to be a thorn in the side of many covered entities (CEs) and their business associates (BAs). The HIPAA Security Rule points repeatedly to the importance of “policies and procedures” that protect the integrity of ePHI. And whether you’re a CE operating a small practice in a rural zone or a multi-layered BA across several states, you must put risk analysis and password protection at the top of your HIPAA compliance planning.

“Passwords alone are by-and-large not a great way to authenticate individuals. Organizations should strongly consider implementing multi-factor authentication (MFA) for all remote access or privileged access to sensitive systems,” Kehler says. “Implementing these controls can result in an incredible decrease of the number and severity of breaches.”

Reminder: The National Institute of Standards and Technology (NIST) updated its password guidance with recommendations for improving identity security. The new guidelines bemoan complicated composition rules for passwords because they create more problems.

“Research and the updated NIST SP 800-63B Digital Identification guidelines agree that most of what we know about password strength is incorrect,” Kehler says. “Passwords change and complexity rules generally result in password reuse, writing down passwords, and creating predictable passwords such as ‘Password123.’”

Pointer: If your practice struggles with password management, you may want to consider using a password management tool. “In my experience, the best passwords come from a password manager,” Stone says. “They can be long, complex, and unique without taxing your ability to remember all the passwords to all your accounts.”