HIPAA

Password Change Frequency Schedule

  • 1.  Password Change Frequency Schedule

    Posted 10-21-2013 08:40 AM
    This message has been cross posted to the following eGroups: Privacy Officer's Roundtable and HIPAA .
    -------------------------------------------
    As we are seeing by those that have posted, some of the cycle times that have been shared are consistent with an online article which includes:

    "...While most security experts said that 90 days is a good password expiration limit, some organizations' CIOs said they change theirs anywhere between three, 4.5, six and nine months. This information led Halamka to ask whether changing passwords actually makes data more secure and whether users care about these frequent changes. Creating new passwords frequently may lessen short-term risk, but can lead to employees physically writing them down on paper and exposing them to other healthcare staff."
    (Source: http://healthitsecurity.com/2012/12/04/cio-addresses-password-change-frequency-security-innovation/)

    In the absence of any regulatory or other external requirements, as the Security Officer, I am also as others have shared from within their own environments, that our 6 month cycle time is working well for us.  Now to be sure, as I previously described, my auditing for logged in User IDs for anyone not on the clock for that selected day provides me a very good element of reassurance that I know others may not have to detect potential situations which may indicate workforce members who have compromised the security of their User IDs and passwords by sharing them with others.

    Even if an "expert" were to proclain from the top of Mt. HIPAA that a shorter cycle time was a "best practice", "industry standard", etc, etc, etc..I don't expect to change our password frequency cycle unless I saw indications that such a change was necessary.  And the good news...in the even this ever came into question, I have a good databank of auditing results to substantiate our position.

    -------------------------------------------
    Frank Ruelas
    Privacy, Security, and Compliance Officer
    Gila River Health Care
    Sacaton,AZ
    -------------------------------------------


  • 2.  RE:Password Change Frequency Schedule

    Posted 10-22-2013 07:15 AM
    Thanks Frank! And thank you to all who've provided input. It's so helpful to get a picture of what's happening and to validate that you're not crazy!

    -------------------------------------------
    Deborah Carlino CHC
    Senior Compliance Officer
    Rutgers Biomedical Health Sciences
    Newark,NJ
    -------------------------------------------