One of our customers recently had a distribution issue on their local server and we needed to log into their system via VPN so we could help. In order to do so, we had to change our VPN password since it had been six months since we last needed to access their system.
This particular customer is on its game in requiring password changes every 90 days, and although it caused a slight delay, it is absolutely a perfect example of proper password protocol. It also made me stop and think about our password policies — it’s always good to have a reminder.
When an employee leaves, do you have a process in place to remove their ability to log into your system? Have you done an audit on that process? We tend to put processes and policies in place and assume they are all being followed. A simple spot check will either assure you they are or let you know you have some issues that need your attention.
What about your vendors? If they have access to your system, do you have a process in place to let you know when a vendor employee leaves? Have you run a check to make sure that everyone who has access to your system is still employed by the vendor?
Do your team members really understand that they should not be sharing their passwords? You might want to check work stations to make sure they are not writing their passwords down on post-it notes and taping them to their screens.
Are your systems all set up to require passwords be changed after a specific period of time? Do your systems time out after a period of inactivity? These all seem like really basic things and something that we are sure is being done. The question is: are they being done?
Remember: document, document document. Make sure that the checks you are doing are all documented and easy to find with your HIPAA documentation. If you are ever audited, this documentation will be excellent to show that you not only have the processes and policies in place but that you also verify compliance.
No related posts.