Sharing Passwords in Healthcare

While there are some circumstances in which sharing passwords in healthcare can foster productivity, password sharing should be strictly controlled and never permitted for accessing ePHI. Indeed, if a healthcare professional shares a password that allows any other entity to access ePHI, it is a violation of HIPAA.

In a Survey Monkey poll conducted earlier this year, 34% of respondents said they shared passwords or accounts with colleagues. When asked why, 38% of password-sharing respondents said it was a company policy, while an even bigger percentage said they did it to enhance productivity – regardless of company policies concerning password sharing.

The reasons why companies sanction password sharing typically include enabling collaboration, delegating work, reducing costs, and providing account access to colleagues when one employee is out of the office, working remotely, or off sick. Some employees use colleagues´ log-in credentials when they have forgotten their own to reduce the burden on the IT Helpdesk.

Unfortunately, the way in which passwords are shared is often insecure. Only 12% of password-sharing respondents said they used a password manager. Other ways in which passwords were shared included email, spreadsheets, and writing them down on paper. Nearly one-in-six claimed to memorize passwords, which doesn´t say a lot about the complexity of the passwords they are using.

Use Cases for Password Sharing in Healthcare

With there being so much emphasis on online security in the healthcare industry, it may appear unusual that healthcare organizations sanction password sharing. However, this practice is usually limited to specific circumstances; and, when effectively monitored and controlled, password sharing can support productivity in certain areas. Examples of password sharing in healthcare could include:

  • A marketing department sharing passwords for company social media accounts,
  • A finance department sharing passwords for company bank accounts, or
  • An IT department sharing passwords for cloud computing accounts.

However, one circumstance in which password sharing in healthcare should never be permitted is password sharing to access ePHI. This is because, to comply with the Technical Safeguards of the HIPAA Security Rule, access to ePHI has to be monitored and logged so that any unauthorized disclosure, alteration, or deletion of ePHI can be tracked back to the perpetrator.

Therefore, under 45 CFR § 164.312, Covered Entities are required to implement procedures that verify a person accessing ePHI is who they claim to be, and that person must also be assigned a unique name or number (i.e., a password) for identifying and tracking user identity. Furthermore, under 45 CFR § 164.312, Covered Entities have to implement “procedures for creating, changing, and safeguarding passwords” – “safeguarding” implying that passwords are not to be shared.

How to Share Passwords Securely

In circumstances in which password sharing in healthcare is sanctioned, it is advisable to share credentials securely. A hacked social media account can result in communities receiving inaccurate health advice. The consequences of a hacked bank account are usually financial, while companies have lost millions of dollars to hackers who take over cloud accounts to mine cryptocurrencies.

To mitigate the risk of account compromise, healthcare organizations should implement password managers with secure password sharing capabilities. Solutions of this nature can be used to control who has access to corporate passwords – whether they are shared or not – and to check that the passwords in use are strong, complex, and random, and not repeated elsewhere in the organization.

Password managers with secure password sharing capabilities can also be used to share passwords with remote workers if the right controls are in place to ensure the secure transmission of login credentials. For example, the password manager must have cross-platform capabilities (i.e., PC, mobile, web, etc.), flexible integrations, and a high standard of encryption to protect data in transit.

Sharing Passwords in Healthcare Q&A

How do password managers such as Bitwarden monitor and control password sharing?

When passwords are shared through the Bitwarden password manager, administrators manage who has access to what passwords via an architecture consisting of organizations, groups, and collections. Within this architecture, administrators have total visibility over corporate password activity via detailed event logs and policy reports.

How can Bitwarden mitigate the risk of account compromise when passwords are shared?

Most account compromises are attributable to brute force attacks on weak passwords and phishing. Bitwarden empowers individuals and organizations to adopt password best practices and use strong, unique passwords for each account. The platform also has safeguards in place to prevent users disclosing shared passwords on phishing sites or to unauthorized third parties.

What cross-platform capabilities does Bitwarden have?

Bitwarden can be download as a desktop or mobile app for most operating systems, deployed in multiple web browsers, or accessed via the web from any Internet-connected device. Each individual user´s stored and shared credentials are synchronized across all devices and platform so the user always has access to them.

What standard of encryption does Bitwarden use to protect data?

Bitwarden use AES-CBC 256-bit encryption to protect data stored in the platform – the same level of encryption as used by government agencies. The encryption key is derived using the PBKDF2 SHA-256 standard, which uses a process known as “key stretching” to create 200,001 iterations of the encryption key – making it virtually uncrackable.