Weak Passwords Put Practice Data at Risk

Should someone break into a medical practice's system because of a weak password, the practice would be in violation of HIPAA if patient data became exposed. Since most adults already have five or more passwords to remember, they choose weak, easy-to-remember passwords that put the practice at risk.

Many adults might be suffering from password overload, according to a recent study conducted by Harris Interactive. According to the study, 59% of adults have five or more unique passwords associated with their online logins, and 30% have more than 10 different passwords to remember. The sheer volume could certainly account for why people take shortcuts when creating new passwords that actually make them more vulnerable.

When Yahoo! was recently hacked and a file of people’s passwords posted on the Internet, the list revealed that the most common password for Yahoo! users was the word “password,” according to Marty Jost, product marketing manager, with Symantec Corp.

“Passwords are an imperfect system, but in some ways it’s the best one we have,” Jost says.

And physicians have a lot to lose by not maximizing the system to its fullest.

Double exposure

Jost explains that physicians have a regulatory responsibility to protect their patient data — HIPAA. Should someone break into a medical practice’s system because of a weak password, the practice would be in violation of HIPAA if patient data became exposed.

“That’s the regulatory side of it,” Jost says. “There’s also a civil side of it, which is that you have a due diligence responsibility to exercise protection of that data that’s in your hands. And I don’t know of any case law examples where this happened, but you could imagine that if you didn’t take measures to protect these passwords that we all know have their flaws, there could be some kind of civil exposure as well.”

The hidden risk for physicians is that there are other people who have access to the practice’s secure files. As such, physicians need to make sure that those other people —staff members — are exercising the same caution they would with their own property.

A strong password

Jost says that, in general, it’s a good idea to have complex passwords that are at least eight characters in length and use a mixture of numbers, letters and special symbols. It’s also a good idea to change a password every 30 to 90 days, just in case it does become compromised in some way.

But that, Jost explains, creates a double-edged sword because complex passwords are more difficult to remember. To rectify that dilemma, many businesses are implementing multi-factor authentication systems.

These systems, says Jost, allow the users to choose passwords they can remember, but it will also see if the computer they’re logging in from is a familiar computer. And if it’s not, then there will be some other hurdles they have to get past before they’re allowed to log in.

“Many large organizations have already moved in this direction,” Jost says. “And it’s starting to move down into even smaller practices. If you have both personal and business exposure because of the sensitive data you handle or the money you handle, then you’d want to do this.”

A most secure approach

Physicians who want to have the most secure system should consider what Jost calls a special security device or a security token. Every time the physician logs in the device will generate a unique security code that the physician must enter in combination with his or her password. In some respects, it takes the onus of having to remember a long, complex password out of the hands of the user.

“If you make the rules too complex people can’t remember anymore,” Jost says. “But you need something stronger than a simple password, because the nature of human beings is they will take the short cut, and inadvertently compromise the security.”

One very good rule for building a strong yet easy-to-remember password is to take a standard phrase, such as “I want to win the Lottery,” and turn it into an acronym along with a number and special symbol. For example, the phrase becomes “iwtwtl.” Add in the number 4 and the symbol $ and you have “iwtw4$tl” — a most secure password.

Lastly, never share your password, even if you’re on the phone with someone from tech support. Chances are they will not need your password, or they likely have access to it already. Remember: passwords are like secrets. If you share them with others, they’re no longer secrets. And the data stored by your medical practice may be in harm’s way.