Scanning or dictating passwords? Not safe!
It is natural that as technology evolves, password techniques and requirements will too. For example, last week the Information Security Team announced a change to the Asante password policy: Passwords no longer will expire on a regular basis but they will need to have at least 10 characters with specific complexity rules. The implementation of Duo multifactor authentication is another example of change and improvement to user authentication to strengthen the security of our patient care and business operations systems.
Male hand holds a phone with QR code scan screen. Vector isolated sticker with QR code payment on smartphone.
Unfortunately, even with improvements in password requirements, it is still tempting to avoid having to input a secret password to access a computer in a busy clinical environment.
Case in point: Recently, some employees created a QR code for their password so they could quickly scan it to access Asante systems. ITS was not notified of this employee-made password “solution” before clinicians began using it. Password entry was fast, yes, but QR code data stored and transmitted are in “plain text” (not encrypted) so the password becomes:
- Readable by others
- Left unprotected for misuse
- Not HIPAA-compliant
In another case, clinicians had configured a dictation system to enter their secret password automatically upon hearing the word “password” spoken. The password was stored in plain text in the dictation program, easily visible to Asante employees and vendor contacts with access to system configuration information.
Asante passwords must never be written down, printed or stored in a way that makes them retrievable by others. This includes putting them on sticky notes, QR codes, bar codes, stickers, etc. See the policy.
Security is always a balance between convenience and risk. In this age of easily available and free technology, employees must trust that ITS-approved practices and security policy will guide them to safe use of Asante resources. In contrast, adopting the latest and readily available technology without ITS oversight creates unmanageable and risky shadow IT for Asante.
Asante is under constant attack from cybercriminals. Each week, Asante security technology protects against 10 million foreign attempts to break through our firewall and rejects more than 300,000 risky emails targeting our employees. Secure passwords are an important line of defense against the cybercriminal onslaught.
Be part of the Asante human firewall. Follow the lead of ITS and the Security Team when it comes to password use methodology and other IT practices.
If you need answers for a personal work matter, please contact the author or department directly.