American Osteopathic Association

Advancing the distinctive philosophy and practice of osteopathic medicine

Password Security for Your Practice

Strengthening the log-in credentials on your practice computer systems can go a long way toward reducing the risk of online hackers stealing information.

A report by Verizon that looked at cyber attacks on health care organizations in 2011 and 2012 found that 72% of them were caused by hackers guessing, or using automated systems to guess, the passwords and other credentials that allowed them access to computer systems.

Most-often hacked passwords

Practices are required under the Health Insurance Portability and Accountability Act (HIPAA) and Meaningful Use rules to perform security assessments. Many practices overlook simple things like password security because they are too focused on the big issues, and on protecting health information while overlooking their other assets.

Verizon reported that most of the breaches were at organizations with fewer than 100 employees. These small businesses are considered by hackers to be easy targets not only because of their lack of basic security systems, such as firewalls, but also because of a lack of zero-cost security measures such as hard-to-guess passwords.

And the amount of hassle, financial costs, and patient ill will for a practice is very high. Ponemon Institute found that the average organizational cost per breached record was $194 in 2011.

What makes a password secure?

Experts say good, secure passwords should be at least eight characters long and use a combination of letters and symbols. Suggestions include using short phrases with underscore spaces between each word such as “see_spot_run.”

Think First Consulting suggests coming up with an easy-to-recall phrase, then using the first letter of each word in the phrase as the password while replacing a letter or two with a symbol to increase the complexity. For example, “my favorite food to eat is pizza” become “mff2e!p.”

The security firm Cylance, said different passwords should be used for each account requiring login credentials. And it’s OK to write down passwords as long as they are kept separate from the machines, and it’s not made obvious that they are passwords.

Experts also say passwords should not be shared between employees, making it harder to determine who was on a system at what time, thus making audits difficult to perform. Plus, the practice loses the ability to revoke access to individuals who leave or are fired.

Also, analysts said all passwords should be changed once every 60 to 90 days.


 Share This