Your Passwords

Picture this: your laptop isn’t stolen, your office isn’t broken into, and nothing on your end looks wrong. A year ago, a recipe-forum website you’d almost forgotten about was breached — the password list leaked onto the internet. This morning, someone runs that list against your EHR. The email matches yours. So does the password. The EHR just opened. Nothing was stolen from you. Nothing on your laptop mattered. The password was the whole attack.

HIPAA speaks to this in two places. §164.308(a)(5)(ii)(D), an administrative safeguard, requires “procedures for creating, changing, and safeguarding passwords.” §164.312(d), a technical safeguard, calls for authentication — a way to verify the person logging in really is the person they say they are. Translation: “use good passwords” and “make sure only you can log in.”

Two tools carry this chapter. A password manager stores a unique strong password for every account, so one leaked password can’t open the others. Multi-factor authentication (MFA) requires a second factor — usually a code from a phone app — so even if a password does leak, the attacker still can’t log in without your phone. Both tools are free or near-free. Both take under an hour to set up once.