Securing accounts and passwords
Account credentials, also known as usernames and passwords, are the digital keys to your medical clinic’s information. Here you’ll learn how to:
- Ensure user accounts are reasonably secure.
- Establish a system where the right people are accessing the right information in your clinic’s information systems.
The modern clinic environment requires the use of many applications and services, each with its own username and password. It is important to manage these accounts securely and efficiently. Understanding the benefit of good password practices and the use of multi-factor authentication (MFA) is key to protecting personal health information.
When thinking about user accounts, ask yourself:
- Is this account unique to me? Am I the only one who knows the username and password?
- Sharing accounts makes it difficult to keep track of who has accessed personal health information and increases the risk of personal health information being compromised. Wherever possible, avoid posting passwords at workstations and ensure team members use their own accounts to access clinical systems. 
- Am I reusing the same password for all or some of my accounts?
- Reusing passwords makes it much easier for someone to gain unauthorized access to your accounts. If one account gets compromised, then a malicious actor potentially has access to all accounts with that same password. 
- Is multi-factor authentication (MFA) available and enabled?
- MFA is the single best defence against account compromise and blocks most malicious login attempts. Consider enabling MFA whenever it is offered, particularly for your EMR, email, financial accounts, and any other systems that contain personal health information. Not all EMRs offer MFA, so check with your vendor or in your EMR settings for this option. 
- Is my password easy to guess?
- Modern password cracking tools can easily break short, predictable passwords, particularly if they contain common words that fit grammatical flow (e.g., iliketacos). Choose passwords that only make sense to you with a minimum 10-character length. They should be easy to remember but hard to guess. 
Managing strong passwords for multiple accounts
The best solution to managing multiple strong passwords is to use password management software. It provides a place where you can securely store many individual account credentials under a single account. A strong "master" password, often secured additionally with a multi-factor authentication method, is used to store, and access all your login information to other accounts. This means you only need to remember one password to access all your accounts conveniently and securely, often with only a few clicks.
Popular password manager vendors will offer industry standard security features. The decision on which option to choose is largely based on desired features and preference for the general look, feel, and ease of use of the application. Most platforms offer a free or trial service option, so you can test it out before fully migrating all your account information. Password management software typically offers several related features beyond the basic password and credential management including:
- Secure password generation
- Password sharing
- File storage
- MFA/SSO (single sign-on)/ VPN (virtual private network) integrations
- Credit, dark web, or identity theft monitoring
Migrating to a password manager in a clinic environment is straightforward but takes some focused effort. It can be done gradually, starting with the most important accounts, such as your EMR and email. Once complete, you can have greater confidence in your account security.
Is storing passwords in my browser like using a password manager?
Although password storage on common internet browsers (e.g. Chrome, Firefox, Edge, Safari) is improving and may appear to provide similar functionality as a password manager, there are often several notable differences that make password manager software a better choice in clinic environments:
- Browsers often only manage passwords in that particular browser. Password managers can store account information for any digital environment without being limited to a single browser.
- Browsers often do not give the option to customize a generated password. You may not be able to automatically add specific password criteria (symbol, number, specific length) when generating one.
- Your password security is tied to your browser security. If you are logged in to your browser with your profile (which is common), anyone with access to your machine has access to your passwords. Password managers force a separate login to access your password vault.
Role-based account access
Applying role-based access incorporates security directly into the clinic infrastructure, by limiting staff access to only software or systems required for their specific role. We recommend following these principles and clearly documenting staff access to clinic systems using this role based access matrix template.
- Access to all information systems is provided on a "need-to-know basis" to reduce unnecessary risk. Only authorized users are allowed access to clinic wired and wireless network systems, device operating systems, your EMR and other patient information repositories.
- Administrative accounts are not to be used for everyday operations. They must be available only to individuals who perform system maintenance tasks.
- Contracts, agreements, or statements of work defining third-party access to the clinic's information must be reviewed and approved by the clinic's privacy officer and security lead before signing.
- Access to the clinic's information must be monitored through audit logs that track what systems were accessed with a timestamp and user identification.
- Audit logs must be maintained for sufficient time to provide evidence in the event of security breaches or incidents.