PASSWORD MANAGEMENT
POLICY # 18
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement....Procedures for creating, changing, and safeguarding
passwords…”
Policy Summary:
Sindecuse Health Center (SHC) must regularly train and remind its
workforce members about its process for appropriately creating, changing
and safeguarding passwords.
Purpose:
This policy reflects SHC’s commitment to provide regular training and
awareness to its workforce members about creating, changing, and
safeguarding passwords.
Policy:
1. SHC must develop, implement, and regularly review a formal,
documented process for appropriately creating, changing and
safeguarding passwords used to validate a user’s identity and establish
access to its information systems and data. All SHC workforce members
must be regularly trained and reminded about this process.
2. At a minimum, SHC’s password management system must:








Require the use of individual passwords to maintain
accountability.
Where appropriate, allow workforce members to select and
change their own passwords.
SHC Information Security Office.
Require regular password changes.
Not display passwords in clear text when they are being input
into an application.
Require the storage of passwords in encrypted form using a oneway encryption algorithm.
Require passwords to be given to users in a secure manner.
Require the changing of default vendor passwords following
installation of software.
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
PASSWORD MANAGEMENT
3. SHC’s password creation standards must require at least the
following:



Passwords must have a minimum length of six characters.
Passwords must not be based on something that can be easily
guessed or obtained using personal information (e.g. names,
favorite sports team, etc.)
Passwords must be composed of a mix of numeric and
alphabetical characters.
4. At a minimum, SHC password management training and awareness
must involve requirements for use of information systems including, but
not limited to:









The importance of keeping passwords confidential and not
sharing them with those who ask.
The need to avoid maintaining a paper record of passwords,
unless the record can be stored securely.
Changing passwords whenever there is any indication of possible
information system or password compromise.
SHC’s password standards.
The importance of not using the same password for personal and
business accounts.
The importance of changing passwords at regular intervals and
avoiding re-using old passwords.
Changing temporary passwords at the first log-on.
Not including passwords in any automated log-on process (e.g.
stored in a macro or function key).
Ensuring that SHC workforce members understand that all
activities involving their user identification and password will be
attributed to them.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Security Awareness
and Training Standard
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
PASSWORD MANAGEMENT
Regulatory
Reference:
45 CFR 164.308(a)(5)(ii)(D)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Password means confidential authentication information composed of a
string of characters.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
PASSWORD MANAGEMENT
Related Policies:
Security Reminders
Protection from Malicious Software
Log-in Monitoring
Password Management
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.