Q&A: Best practices for storing passwords
Q: We recently took a survey and many of our employees admitted to saving their passwords in a Word® document or a Notes® file on their phone. Is this riskier than having passwords written down on paper and stored in a safe place at work or home? How can we discourage employees from writing down their passwords anywhere?
A: Both are risky propositions unless the files are encrypted and protected with a strong password or PIN. As long as the passwords are secure, it is not likely that someone could capture them. Keep in mind, though, the HIPAA Security Rule requires covered entities (CE) and business associates (BA) to implement a process that supports emergency access. If the password cannot be easily reset, you may find yourself at odds with the Office for Civil Rights (OCR). Also, it becomes more difficult to access important information if the employee is terminated without communicating his or her password.
The best way to encourage employees to not write down passwords is to provide training regarding password management and the risks associated with writing down passwords, such as noting that the employee is ultimately responsible if a password is stolen and someone impermissibly accesses the data, or if a breach occurs because the password was stolen. Security reminders are important communication vehicles in addition to formal training. They don’t need to be long, and they provide another opportunity to get the message across. It is also a good idea to remind employees of the company policy and what happens if it is violated. Another incentive would be to provide employees with a password manager, like LastPass or 1Password, that can be used across multiple platforms.
Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.