HIPAA Password Sharing

Shared passwords in healthcare can sometimes boost productivity, but stringent control is essential to safeguard access to electronic protected health information (ePHI). Violating the standards set by the Health Insurance Portability and Accountability Act (HIPAA), healthcare professionals must not share passwords that grant access to ePHI. Companies may endorse password sharing to encourage collaboration, delegate work, cut costs, or allow colleagues to access accounts when someone is absent, working remotely, or on sick leave. Some employees, when unable to recall their own credentials, employ their colleagues' login information to lessen the load on the IT Helpdesk. Unfortunately, the methods employed to share passwords often lack security measures.

Exploring the Applications of Password Sharing in the Healthcare Industry

Despite the increasing focus on online security within the healthcare industry, it may seem strange that healthcare organizations allow password sharing. However, this practice is generally limited to specific situations and when it is properly monitored and controlled, it can actually enhance productivity in certain areas. For example, the marketing department may share passwords for company social media accounts, the finance department may share passwords for company bank accounts, and the IT department may share passwords for cloud computing accounts.Nevertheless, there is one circumstance in the healthcare industry where password sharing should never be allowed, and that is when accessing electronic Protected Health Information (ePHI). The reason for this is that complying with the Technical Safeguards of the HIPAA Security Rule requires regular monitoring and logging of ePHI access. This ensures that any unauthorized disclosure, alteration, or deletion of ePHI can be traced back to the person responsible. Under 45 CFR § 164.312, Covered Entities are obligated to establish procedures that confirm the identity of individuals accessing ePHI and assign them a unique identifier (i.e., a password) to track their activities. Furthermore, according to 45 CFR § 164.312, Covered Entities must implement procedures to create, modify, and protect passwords, with the term "safeguarding" indicating that passwords should not be shared.

A Guide to Ensuring Secure Password Sharing:

When healthcare providers allow for password sharing, it is important to do so securely. Sharing passwords carelessly can lead to inaccurate health advice being spread on social media platforms. While the consequences of a hacked bank account are typically financial, companies have suffered significant financial losses due to hackers infiltrating cloud accounts and mining cryptocurrencies. In order to minimize the risk of compromised accounts, healthcare organizations should consider implementing password managers that offer secure password sharing features. These solutions allow for controlled access to corporate passwords, whether they are being shared or not, and ensure that the passwords used are strong, complex, random, and not duplicated elsewhere within the organization. Additionally, password managers with secure password sharing capabilities can assist in sharing passwords with remote workers, as long as appropriate controls are in place to guarantee the secure transmission of login credentials. This includes features such as cross-platform compatibility (e.g. PC, mobile, web), flexible integrations, and top-notch encryption practices to protect data while in transit.