HIPAA Compliance for Medical Practices
60.5K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Can You Keep a Secret? Tips for Creating Strong Passwords

Can You Keep a Secret? Tips for Creating Strong Passwords | HIPAA Compliance for Medical Practices | Scoop.it

The computers in your office are veritable treasure chests of information cyber pirates would love to get their hands on. Only authorized personnel in a practice should have the keys to unlock what’s inside. Passwords as those keys. They play an important role in protecting Electronic Health Records (EHR) and the vital information those records hold.

The HIPAA Security Rule says that “reasonable and appropriate . . . procedures for creating, changing, and safeguarding passwords” must be in place. But the rule doesn’t stop there. It goes on to say that “In addition to providing passwords for access, entities must ensure that workforce members are trained on how to safeguard information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.”

Regardless of the type of computers or operating system your office uses, a password should be required to log in and do any work. Today’s blog will focus on how to create strong passwords – the kind that aren’t easily guessed. And since attackers often use automated methods to try to guess a password, it is important to choose one that doesn’t have any of the characteristics that make passwords vulnerable.

How to stay ahead of the hackers

They’re a clever bunch, those hackers. And they seem to know a lot about human nature, too. They’ve figured out the methods most people use when choosing a password. And they’ve turned that knowledge to their advantage.

To outsmart them, create a password that’s:

NOT a word found in any dictionary, even foreign ones
NOT a word any language — including its slang, dialects, and jargon
NOT a word spelled backwards
NOT based on recognizable personal information — like names of family and friends
NOT a birthdate
NOT an address or phone number
NOT a word or number pattern on the keyboard — for instance, asdfgh or 987654

A strong password should:

Be at least 8 characters in length
Include a combination of upper and lower case letters, at least on number and at least one special character, like an exclamation mark

Examples of strong passwords

With their weird combinations of letters, numbers, and special characters, passwords can be a challenge to remember. Starting with an easy-to-remember phrase and then tweaking it to fit the guidelines for strong passwords is one way around that problem.

For instance:

1h8mond@ys! (I hate Mondays!)

5ayBye4n@w (Say bye for now)

Safety first

The importance of having strong passwords — the longer, the better — and changing them on a regular basis can’t be overstated. And it goes without saying that writing a password on a Post-It note and attaching it to a computer monitor should never be done. Do everything you can to make your passwords strong, and store them somewhere safe. These steps will help ensure the security of your PHI and give those hackers fits.

more...
No comment yet.
Scoop.it!

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!


more...
No comment yet.