Passwords are what we use to protect access to systems or tools and in the healthcare industry those passwords protect very sensitive information. Therefore, it’s important to communicate with the entire organization on the dangers of sharing passwords with coworkers. This may seem obvious to those that work in security, but the risks are not at the front of everyone’s mind. Reminding everyone of the risks involved in sharing passwords may cause people to think twice about it next time.
Sharing passwords can be dangerous especially if the individual uses the same password for multiple accounts. This would cause the person who was given one set of credentials to be able to access multiple systems that they may not have been granted access to. They would be able to access the account owner’s personal accounts, as well. Shared passwords can also make it easier for hackers to gain access to parts of the network once in the system.
Many of those that share passwords are not doing so maliciously but could leave the organization vulnerable, especially if an employee with shared credentials is terminated and is still able to access systems with sensitive information. Additionally, it can be risky to share passwords because not all employees have the same access within systems. This could lead to employees having access to ePHI that shouldn’t! It then can be very difficult to determine who inappropriately accessed ePHI if multiple people have access to the same account.
Try to educate the organization about the risks of shared passwords and encourage long passphrases, unique passphrases for each system or service, and the use of a password vault or manager. Then, make sure to update your Password Policy and make it available to everyone. As always and if possible, implement multi-factor authentication wherever you can!
