The Importance of Using Passwords in Healthcare

Passwords and Passphrases

The Administrative Safeguards of the HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to:

Implement procedures for creating, changing and safeguarding passwords [For details see: Security Awareness and Training, §164.308(a)(5)].

Make sure you create and regularly use strong passwords (i.e. usually 10 characters or more and includes uppercase and lowercase letters, numbers, and special characters like #$&*).

When creating your passwords, consider using unique “passphrases,” which are sentences may be easier to remember than a very complex password e.g. “I got A new bike for my 8th birthday!” would be ItAwkry8b!

Do NOT use passwords or phrases that would be easy to guess, such as a pet’s name or your birth date.

Maintaining strong and unique passwords will decreases the risk of password guessing based on commonly used passwords, information about you that might be publicly available, or password cracking tools that hackers use.

Are You Using the Same Password for All Users?

Does the HIPAA Security Rule permit a CE or BA to assign the same log-on ID or user ID to multiple employees?



Under the HIPAA Security Rule, CEs and BAs, regardless of their size, are required, under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.”

A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the HIPAA Security Rule requires CEs and BAs to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (ePHI), so that system access and activity can be identified and tracked by user.

This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.

Over the past years, the healthcare sector has been one of the biggest targets of cybercrimes resulting in breaches due to weak authentication. To learn about Two Factor Authentication sign up for your copy of our HIPAA Security Rule – Know The Rules! Newsletter Today!!