Choosing good passwords and protecting them is a small but key part of guarding your patients’ protected health information.
Cyber-criminals who break into EHR systems to get coveted patient data use sophisticated computer techniques. Resisting their efforts is best left to information technology experts, employing a vast array of high-tech methods. Right?
Well, yes and no. It is crucial to have a secure system with the latest antivirus software and top-notch encryption methods, but if you don’t carefully choose and protect your passwords, you may be putting your patients’ data at risk without even realizing it. One of the simplest yet most important things you can do to protect patient privacy is practice good password security habits. “There are many ways to get into a computer system and passwords are one common vector used by hackers,” said Ryan Williams, tech expert and author of Passwords and Internet Addresses Journal for Dummies.
A password should have 12-15 characters, some of them numbers or symbols said Williams. “But you have to be able to remember it, too. A good password will have that magic combination of being easy to remember, but hard to guess,” he added. This is easier said than done, but there are a few tricks for pulling it off. Think of something known only to you, the name of your first crush, perhaps. Or maybe an expression no one else would know (maybe the punchline of an inside joke or a phrase from your childhood), and use the first letter of each word in the phrase, suggested Ron Sterling, president of Sterling Solutions, a healthcare information technology consulting firm in Silver Spring, Md. Some people choose a line from a favorite song and use the first letters of that. When you add in numbers and symbols, avoid obvious substitutions, such as $ for S or 3 for B. Hackers figured out those tricks a long time ago, though Williams did recommend capitalizing random letters. “Random is important,” he said.
Whatever password you choose, said Sterling, be sure it isn’t easily discovered from your bio or Facebook page. Don’t use kids’ or pets’ names, the name of your medical school, or the name of your office, and don’t use a password you use in other places, such as for your bank account.
Guard it Carefully
Once you have a great password, protect it. The reason you went to so much trouble to choose a password you could remember is so you wouldn’t have to write it down. Those sticky notes with passwords stuck to computer screens or tucked under keyboards are HIPAA violations for a reason. And no matter how innocent it may seem, never share your passwords- even with family members or close associates. “In my experience, doctors sometimes give their passwords to medical assistants or nurses,” said Sterling. “This is a violation of HIPAA, and a bad practice in any case.” Any time someone-anyone for any reason-gets access to your password, change it immediately. And one last thing: Even after you’ve gone to all that trouble to choose a great password, you should still change it often, about every 30 days Williams suggested. “It gets difficult with so many passwords to remember,” he said, “but it’s still important to change often.”