HIPAA Security

HIPAA Security: Protecting Passwords

Revised: September 8, 2005

From: "Opland, Russell" <OplandR@uphs.upenn.edu>
Date: March 31, 2005 2:49:15 PM EST
To: "All Exchange Users" <allexu@uphs.upenn.edu>
Subject: HIPAA Security: Protecting Passwords

One of our greatest areas of vulnerability is the passwords we use to login to the UPHS network, and computer systems. There are freely-available hacker tools on the internet that use the incredible computing power of today's desktop computers to "crack" passwords in seconds.

As part of our HIPAA Security initiative, and as a result of a focused risk assessment in this area, we will be implementing requirements for "strong passwords" on our systems starting in late April. When the computer system in question is technically capable of supporting it, a "strong" password is one that is:

Passwords should not be easily associated with you. For example, do not use the following as passwords:

Passwords will be required to be changed periodically, depending on the sensitivity of the information contained in the applicable computer system.

Passwords should not be written down, nor should they be shared with anyone else under any circumstances. This includes Help Desk personnel. Hackers will often pretend to be Help Desk personnel, and ask you for your password. This is one of their techniques for gaining access. Our Help Desk personnel will not ask you for your password.

We strongly encourage you to create strong passwords for yourself and begin using them as soon as possible.

Technique for creating easily remembered strong passwords:

How to Change the Password on your Windows-based PC