FeaturedInformation security

Scanning or dictating passwords? Not safe!

Asante’s security team has learned that some clinicians have created their own password process. Security analyst Karen McMillen explains how this jeopardizes Asante’s information security and patient care.

Share:

It is natural that as technology evolves, password techniques and requirements will too. For example, last week the Information Security Team announced a change to the Asante password policy: Passwords no longer will expire on a regular basis but they will need to have at least 10 characters with specific complexity rules. The implementation of Duo multifactor authentication is another example of change and improvement to user authentication to strengthen the security of our patient care and business operations systems.

Phone With Qr Code Scan Screen Male hand holds a phone with QR code scan screen. Vector isolated sticker with QR code payment on smartphone.

Unfortunately, even with improvements in password requirements, it is still tempting to avoid having to input a secret password to access a computer in a busy clinical environment.

Case in point: Recently, some employees created a QR code for their password so they could quickly scan it to access Asante systems. ITS was not notified of this employee-made password “solution” before clinicians began using it. Password entry was fast, yes, but QR code data stored and transmitted are in “plain text” (not encrypted) so the password becomes:

  • Readable by others
  • Left unprotected for misuse
  • Not HIPAA-compliant

In another case, clinicians had configured a dictation system to enter their secret password automatically upon hearing the word “password” spoken. The password was stored in plain text in the dictation program, easily visible to Asante employees and vendor contacts with access to system configuration information.

Asante passwords must never be written down, printed or stored in a way that makes them retrievable by others. This includes putting them on sticky notes, QR codes, bar codes, stickers, etc. See the policy.

Security is always a balance between convenience and risk. In this age of easily available and free technology, employees must trust that ITS-approved practices and security policy will guide them to safe use of Asante resources. In contrast, adopting the latest and readily available technology without ITS oversight creates unmanageable and risky shadow IT for Asante.

Asante is under constant attack from cybercriminals. Each week, Asante security technology protects against 10 million foreign attempts to break through our firewall and rejects more than 300,000 risky emails targeting our employees. Secure passwords are an important line of defense against the cybercriminal onslaught.

Be part of the Asante human firewall. Follow the lead of ITS and the Security Team when it comes to password use methodology and other IT practices.

Tags: dictation, ITS, password, privacy, QR, risk, scanning, security
Leader spotlight: Dr. Eric Loeliger’s role expands
ATRMC ED holds virtual open house

If you have a question, please contact the author or relevant department directly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Categories

Popular related content