Risk Management Tools & Resources



Passwords: A New Approach to an Old-School Security Strategy

Laura M. Cascella, MA

Ensuring HIPAA Compliance in Text Messaging

In the current healthcare technology landscape — which includes robotics, telehealth, artificial intelligence, virtual reality, and more — password security might seem like a mundane topic. Clinicians and other healthcare workers have used passwords for years to log in to various organizational systems, and these actions have likely become second nature. In recent years, however, cyberattacks and data breaches have heightened security concerns for healthcare organizations, emphasizing the need to develop new security strategies and revisit old protocols.  

Although the concept and purpose of passwords are not new, these security controls still prove troublesome for healthcare organizations. Examples of common password problems include staff creating weak passwords, sharing passwords, writing passwords on paper, posting passwords in visible locations, and forgetting to log out of systems. Unfortunately, even minor oversights in password security can result in significant consequences. Failure to follow best practices for creating, updating, and recovering passwords might put confidential and protected information at risk, potentially increasing the risk of data breaches and HIPAA violations.

Below are lists of “do’s” and “don’ts” for password security, curated from various cybersecurity resources.¹ Use these recommendations to review your healthcare organization’s current password protocols and pinpoint potential security issues and areas in which changes might be necessary.

Password Do’s

  • Require staff members to log in to all organizational systems that contain protected health information, confidential files, or sensitive data.
  • Establish security standards that require passwords to be at least eight characters long and use a combination of uppercase and lowercase letters, numbers, and symbols. Research suggests that password length is the primary factor in creating strong passwords, even more than letter/number/symbol combinations. As such, organizations might want to consider the use of passphrases rather than passwords.
  • Encourage staff members to break common password habits, such as placing capital letters at the beginning of a password and numerals at the end.
  • Use two-factor or multi-factor authentication. This method involves a password and at least one other identifying technique, such as an electronic identification card, key fob, or fingerprint recognition.
  • Ensure that systems require users to change their passwords periodically, such as every 90 days.
  • Configure systems to prevent users from repeating the same password within a specified timeframe.
  • Enable a password reset function on your systems so that staff members can change forgotten passwords once their identities are authenticated.
  • Change default passwords that come with systems or programs immediately after installation.
  • Enable optional password protection on any devices or systems that offer this option.

Password Don’ts

  • Avoid passwords with common words or terms, even if the spelling is slightly altered (example: H0spital1234).
  • Avoid passwords that contain personal information, such as first, middle, or last names; pets’ names; street names; Social Security numbers; etc. (example: JaneDoe1965).
  • Avoid passwords that use adjacent keyboard combinations (example: qwerty1234).
  • Avoid passwords that contain pop culture references (example: Game0fThr0nes).
  • Avoid passwords that contain information found on social media sites (example: @JaneDoeTweets).
  • Avoid password hints or knowledge-based authentication (KBA) as a method of password recovery. Evidence suggests hints often are weak password forms (example: favorite HBO dragon series), and KBA selections can be easily guessed or researched (example: mother’s maiden name).
  • Do not write down passwords as a method of remembering them, even if you think they are concealed.
  • Do not share passwords with other personnel or let others use a system or network while you are logged in.
  • Do not use the same password for multiple systems and personal/professional accounts.

Although no strategy can guarantee complete protection, following best practices for password security and avoiding known password weaknesses can improve your organization’s ability to defend against cyberattacks and data breaches.

Cybersecurity is an issue that will continue to evolve and present challenges in healthcare. As hackers hone their password-cracking skills with emerging tools and technologies, implementing new strategies for password security will become an essential part of healthcare organizations’ security protocols and staff education priorities.

Unfortunately, even the most sophisticated security technologies can be futile if the people using networks, devices, and systems lack awareness of, or are noncompliant with, security protocols. A proactive approach to keeping current with cybersecurity issues, identifying potential gaps and vulnerabilities, and educating and engaging staff in security initiatives will help healthcare organizations build and maintain robust security cultures.


1 Office of the National Coordinator for Health Information Technology. (2015, January). Top 10 tips for cybersecurity in healthcare. U.S. Department of Health and Human Services. Retrieved from www.healthit.gov/providers-professionals-newsroom/top-10-tips-cybersecurity-health-care; Office of the National Coordinator for Health Information Technology. (2010, November). Cybersecurity: 10 best practices for the small healthcare environment. U.S. Department of Health and Human Services. Retrieved from www.healthit.gov/sites/default/files/basic-security-for-the-small-healthcare-practice-checklists.pdf; Venditto, G. (2015, October). Best practices for password security. Healthcare IT News. Retrieved from www.healthcareitnews.com/news/best-practices-password-security; National Institute of Standards and Technology. (2017, June). Digital identity guidelines (NIST Special Publication 800-63-3). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf

MedPro Twitter


View more on Twitter