- Managing your Practice
-
Virtual Care
Check out guides and resources to help you better use virtual care and technology to support patients.
-
- Your Benefits
-
Introducing the ultimate Club MD experience
From work to play, and everything in between, we provide you with access to hundreds of deals from recognizable, best-in-class brands, elevating every facet of your life – from practice supports to entertainment, restaurants, electronics, travel, health and wellness, and more. Your Club MD membership ensures that these deals are exclusive to you, eliminating the need to search or negotiate.
Welcome to the ultimate Club MD experience. Your membership, your choices, your journey.
-
- Advocacy & Policy
-
Promoting Good Health
Advocating for better health and improved safety on behalf of British Columbians.
-
- Collaboration
-
Working Together
In partnership with the BC government, we are working to make a difference through collaborative programs.
-
- News & Events
-
Stay Informed
Stay up to date with important information that impacts the profession and your practice. Doctors of BC provides a range of newsletters that target areas of interest to you.
Subscribe to the President's Letter
Subscribe to Newsletters
-
- About Us
-
Our Strategic Plan
Our strategic plan guides us in our work to transform the health care system and improve patient care.
-
You are here
- Home
- Managing your Practice
- Doctors Technology Office (DTO)
- Enhance Your Clinic's Security
- Managing user accounts & passwords
You are here
- Home
- Managing your Practice
- Doctors Technology Office (DTO)
- Enhance Your Clinic's Security
- Managing user accounts & passwords
Account credentials, also known as usernames and passwords, are the digital keys to your clinic’s information. In this section you’ll find information about how to:
-
Ensure user accounts are reasonably secure.
-
Establish a system where the right people are accessing the right information in your clinic’s information systems.
Accounts & passwords
The modern clinic environment requires the use of many applications and services, each with their own username and password. This section provides tips on how to manage accounts securely and efficiently. Understanding the benefit of good password practices and the use of multi-factor authentication (MFA) is key to protecting personal health information.
When thinking about accounts, ask yourself:
- Is this account unique to me? Am I the only one who knows the username and password?
-
Sharing accounts makes it difficult to keep track of who has accessed personal health information and increases the risk of personal health information being compromised. Wherever possible, avoid posting passwords at workstations and ensure team members use their own accounts to access clinical systems.
- Am I reusing the same password for all or some of my accounts?
-
Reusing passwords makes it much easier for someone to gain unauthorized access to your accounts. If one account gets compromised, then a malicious actor potentially has access to all accounts with that same password.
- Is multi-factor authentication (MFA) available and enabled?
-
-
MFA is the single best defense against account compromise and blocks the majority of malicious login attempts. Consider enabling MFA whenever it is offered, particularly for your EMR, email, financial accounts, and any other systems that contain personal health information. Not all EMRs offer MFA, so check with your vendor or in your EMR settings for this option.
-
- Is my password easy to guess?
-
Modern password cracking tools can easily break short, predictable passwords, particularly if they contain common words that fit grammatical flow (e.g., iliketacos). Choose passwords that only make sense to you with a minimum 10-character length. They should be easy to remember but hard to guess.
How to manage strong passwords for multiple accounts
The best solution is to use password management software. It provides a place where you can securely store many individual account credentials under a single account. A strong "master" password, often secured additionally with a multi-factor authentication method, is used to store, and access all your login information to other accounts. That way, you only need to remember one password to access all your accounts conveniently and securely, often with only a few clicks.
Popular password manager vendors will offer industry standard security features, therefore the decision on which option to choose is largely based on desired features and preference for the general look, feel and ease of use of the application. Most platforms offer a free or trial service option so you can test it out before fully migrating all your account’s information. Password management software typically offers several related features beyond basic password and credential management including:
-
Secure password generation
-
Password sharing
-
File storage
-
MFA/SSO (single sign on)/ VPN (virtual private network) integrations
-
Credit, dark web, or identity theft monitoring
Migrating to a password manager in a clinic environment is straightforward but takes some focused effort. It can be done gradually, starting with the most important accounts like your EMR and email. Contact DTO to learn more about how we can support you with this process. Once complete, you can have greater confidence in your account security.
My browser always asks to store my password. Is this the same as a password manager?
Although password storage on common internet browsers (e.g. Chrome, Firefox, Edge, Safari) is improving and may appear to provide similar functionality as a password manager, there are often several notable differences that make password manager software superior for clinic teams:
-
Browsers often only manage passwords in that particular browser. Password managers can store account information for any digital environment without being limited to a single browser.
-
Browsers often do not give the option to customize a generated password. You may not be able to automatically add specific password criteria (symbol, number, specific length) when generating one.
-
Your password security is tied to your browser security. If you are logged into your browser with your profile (which is common), anyone with access to your machine has access to your passwords. Password managers force a separate login to access your password vault.
Contact DTO to get help navigating your options and to learn more about popular solutions.
Role-based access
Applying role-based access incorporates security directly into the clinic infrastructure by limiting staff access to only software or systems required for their specific role. We recommend following these guiding principles (below) and clearly documenting staff access to clinic systems using this role matrix template.
-
Access to all information systems is provided on a "need-to-know basis" to reduce unnecessary risk. Only authorized users are allowed access to clinic wired and wireless network systems, device operating systems, your EMR and other patient information repositories.
-
Administrative accounts are not to be used for everyday operations and must be available only to individuals who perform system maintenance tasks.
-
Contracts, agreements, or statements of work defining third-party access to the clinic's information must be reviewed and approved by the clinic's privacy officer and security lead before signing.
-
Access to the clinic's information must be monitored through audit logs that track what systems were accessed with a timestamp and user identification.
-
Audit logs must be maintained for sufficient time to provide evidence in the event of security breaches or incidents.