8. Use Strong Passwords and Change Them Regularly
Passwords are the first line of defense in preventing unauthorized access to any computer. Regardless of type or operating system, a password should be required to log in. Although a strong password will not prevent attackers from trying to gain access, it can slow them down and discourage them. In addition, strong passwords, combined with effective access controls, help to prevent casual misuse (e.g., staff members pursuing their personal curiosity about a case even though they have no legitimate need for the information).
Strong passwords are ones that are not easily guessed. Since attackers may use automated methods to try to guess a password, it is important to choose a password that does not have characteristics that could make it vulnerable.
Strong passwords should not include:
• Words found in the dictionary, even if they are slightly altered (e.g., replacing a letter with a number)
• Personal information such as birth date; names of self, family members, or pets; social security number; or anything else that could easily be learned by others. Remember: If a piece of information is on a social networking site, it should never be used in a password.
Below are some examples of strong password characteristics:
• At least eight characters in length (the longer the better)
• A combination of upper case and lower case letters, one number, and at least one special character, such as a punctuation mark.
9 http://healthit.gov/sites/default/files/Access Control Checklist.pdf
Finally, systems should be configured so that passwords must be changed on a regular basis. While this may be inconvenient for users, it also reduces some of the risk that a system will be easily broken into with a stolen password.
Passwords and Strong Authentication
Strong, or multi-factor, authentication combines multiple different authentication methods, resulting in stronger security. In addition to a user name and password, another authentication method is used (e.g., a smartcard, key fob, or fingerprint or iris scan).
Under federal regulations permitting e-prescribing of controlled substances, multi-factor authentication must be used.
What about forgotten passwords?
Anyone can forget a password, especially if the password is long. To discourage people from writing down their passwords and leaving them in unsecured locations, plan for password resetting. This could involve 1) allowing two different staff members to be authorized to reset passwords; or 2) selecting a product that has built-in password reset capabilities.
10 http://healthit.gov/sites/default/files/Password Checklist.pdf
Password Checklist
Policies are in place prescribing password practices for the organization.
All staff members understand and agree to abide by password policies.
Each staff member has a unique username and password.
Passwords are not revealed to or shared with others.
Passwords are not written down or displayed on screen.
Passwords are hard to guess, but easy to remember.
Passwords are changed routinely.
Passwords are not re-used.
Any default passwords that come with a product are changed during product installation.
Any devices or programs that allow optional password protection have password protection turned on and in use.