A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below.
Current Policies: New Users
“New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.”
Current Policies: Password Requirements
“Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.”
A: Revised Policies: New Users
“New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management procedures, remote device protection, and transmission of EPHI (Electronic Protected Health Information) over open networks (email), or downloading files to public or remote computers. The awareness training must be completed and documentation submitted as part of the access approval process” (HIPPA Security Guidance, (2006))
Revised Policies: Password Requirements
“Passwords must be at least eight characters long and contain a combination of uppercase letters, lowercase letters, numbers and special characters. Passwords cannot contain standard...