Account credentials, also known as usernames and passwords, are the digital keys to your clinic’s information. In this section you’ll find information about how to:

  • Ensure user accounts are reasonably secure.

  • Establish a system where the right people are accessing the right information in your clinic’s information systems.

Accounts & passwords

The modern clinic environment requires the use of many applications and services, each with their own username and password. This section provides tips on how to manage accounts securely and efficiently. Understanding the benefit of good password practices and the use of multi-factor authentication (MFA) is key to protecting personal health information. 

When thinking about accounts, ask yourself:

Is this account unique to me? Am I the only one who knows the username and password?

Sharing accounts makes it difficult to keep track of who has accessed personal health information and increases the risk of personal health information being compromised. Wherever possible, avoid posting passwords at workstations and ensure team members use their own accounts to access clinical systems. 

Am I reusing the same password for all or some of my accounts? 

Reusing passwords makes it much easier for someone to gain unauthorized access to your accounts. If one account gets compromised, then a malicious actor potentially has access to all accounts with that same password.

Is multi-factor authentication (MFA) available and enabled? 
  • MFA is the single best defense against account compromise and blocks the majority of malicious login attempts. Consider enabling MFA whenever it is offered, particularly for your EMR, email, financial accounts, and any other systems that contain personal health information. Not all EMRs offer MFA, so check with your vendor or in your EMR settings for this option. 

Is my password easy to guess?  

Modern password cracking tools can easily break short, predictable passwords, particularly if they contain common words that fit grammatical flow (e.g., iliketacos). Choose passwords that only make sense to you with a minimum 10-character length. They should be easy to remember but hard to guess. 

How to manage strong passwords for multiple accounts

The best solution is to use password management software. It provides a place where you can securely store many individual account credentials under a single account. A strong "master" password, often secured additionally with a multi-factor authentication method, is used to store, and access all your login information to other accounts. That way, you only need to remember one password to access all your accounts conveniently and securely, often with only a few clicks. 

Popular password manager vendors will offer industry standard security features, therefore the decision on which option to choose is largely based on desired features and preference for the general look, feel and ease of use of the application. Most platforms offer a free or trial service option so you can test it out before fully migrating all your account’s information. Password management software typically offers several related features beyond basic password and credential management including: 

  • Secure password generation 

  • Password sharing 

  • File storage 

  • MFA/SSO (single sign on)/ VPN (virtual private network) integrations 

  • Credit, dark web, or identity theft monitoring 

Migrating to a password manager in a clinic environment is straightforward but takes some focused effort. It can be done gradually, starting with the most important accounts like your EMR and email. Contact DTO  to learn more about how we can support you with this process. Once complete, you can have greater confidence in your account security.

My browser always asks to store my password. Is this the same as a password manager?

Although password storage on common internet browsers (e.g. Chrome, Firefox, Edge, Safari) is improving and may appear to provide similar functionality as a password manager, there are often several notable differences that make password manager software superior for clinic teams: 

  • Browsers often only manage passwords in that particular browser. Password managers can store account information for any digital environment without being limited to a single browser. 

  • Browsers often do not give the option to customize a generated password. You may not be able to automatically add specific password criteria (symbol, number, specific length) when generating one. 

  • Your password security is tied to your browser security. If you are logged into your browser with your profile (which is common), anyone with access to your machine has access to your passwords. Password managers force a separate login to access your password vault. 

Contact DTO  to get help navigating your options and to learn more about popular solutions.

Role-based access

Applying role-based access incorporates security directly into the clinic infrastructure by limiting staff access to only software or systems required for their specific role. We recommend following these guiding principles (below) and clearly documenting staff access to clinic systems using this role matrix template.

  • Access to all information systems is provided on a "need-to-know basis" to reduce unnecessary risk. Only authorized users are allowed access to clinic wired and wireless network systems, device operating systems, your EMR and other patient information repositories.

  • Administrative accounts are not to be used for everyday operations and must be available only to individuals who perform system maintenance tasks.

  • Contracts, agreements, or statements of work defining third-party access to the clinic's information must be reviewed and approved by the clinic's privacy officer and security lead before signing.

  • Access to the clinic's information must be monitored through audit logs that track what systems were accessed with a timestamp and user identification.

  • Audit logs must be maintained for sufficient time to provide evidence in the event of security breaches or incidents.

The Doctors Technology Office is an initiative of the Family Practice Services Committee (FPSC), a joint partnership of Doctors of BC and the Government and BC.