We’ve all received this heart-stopping notification: Your password will expire tomorrow. Please consider changing your password.
It usually elicits the same few responses: Is something wrong with my password? Why do I need to change? I liked my password. I saved my password. I KNEW my password!
When it comes to your healthcare organization’s cybersecurity, you’re going to have to decide whether or not to implement expiring passwords as one of your practices. Before you do so, though, it’s essential to understand whether or not expiring passwords are effective and how an authenticator can be an opportunity to ensure effective, secure passwords that don’t need to be changed.
First, let’s be clear: Contrary to popular belief, you DO NOT need expiring passwords as part of your cybersecurity practices.
Not only does HIPAA not require periodic changing of passwords, but Specops notes that the National Institute of Standards and Technology (NIST), the National Cyber Security Centre (NCSC), and Microsoft are also advising against forcing password expiration without reason. This is because password expiration only minimizes cyberattacks when this is a hacker’s point of entry to your network. If an organization is already enforcing strong passwords and enabling multi-factor authentication, these strong passwords remain useful.
Also, NIST states that “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” However, they clarify that verifiers “SHALL force a change if there is evidence of compromise of the authenticator.”
So, what’s the catch? No expiring passwords mean my users will love me, right? Yes, BUT it’s not as easy as informing everybody that you aren’t expiring passwords anymore. That’s the first step. THEN, seize the moment as an opportunity to implement a new system with increased security and effective, secure passwords that don’t need to be changed. It’s one moment of change, but you get a user-friendly security system for the long haul in exchange.
Once you’re ready to implement your new system — or if your users decide to change their passwords at any point in time — make it easy on them!
Matterform can help with Secure Password Policies for Your Medical Practice and a secure passphrase generator.
Not sure if your password security is up to standards? Watch this and learn why your passwords are (probably) terrible, but it’s not your fault.
No matter what you decide or how well you’ve been protected to this point, Matterform can always help you as your healthcare organization moves forward.