Passwords

Hi Christian,

Thanks for the response.  Great insight you have provided.  It is something I have thought about for a while.  I am an IT Department of one.  We have about 10 office sites and around 100 Users/PCs in our organization.  I don't have a lot of internal resources to be able to bounce off of people except for forums like this.

We are in the process of strengthening some of our policies and procedure along with strengthening our security practices.  I have implemented a password change policy for our organization.  Now I am in the process of creating and providing security and awareness training for our employees as well.

So I do give a spill about HIPAA liability.  I let the staff know in the staff meetings I attend in the different divisions and programs that according to certain HIPAA regulations in some aspects they as an employee can be held liable for certain actions.  The liability could be termination of employment.  It could be their licensing board revokes their license (they lose it).  They could be subject to fines and fees.

So we had a discussion about that topic.  Some of our employee are now aware knowing they can be held liable - depending on the circumstance.  That has been proven over and over again with certain HIPAA cases - documented - where they were held liable.

So they asked me about it and I gave them my view point.  Now, I am not legalese in nature either.  I am not an attorney, lawyer what not.  So I told them don't put a whole lot of chalk into what I say - to seek better advice and counsel.

Here is what I explained to them.  When it comes to a HIPAA violation - the policy and procedures would be examined to see if they are HIPAA compliant - if there is such a thing.  Then they will examine what the employee did.  If the employee violated the policy and procedure - then the employee would be held liable.  If the organization can prove they have proper and correct policy and procedures in place and have provided enough security and awareness training - then the organization would not be held liable - but the employee violating the policy and procedure would be held liable.

So I explained to them in our staff meetings - you want to be in full compliance with the organizations policy and procedures to keep your self safe from liability as an employee.  They now get that and understand that.

So the discussion came up with how do you determine how and where liability lies in certain scenarios.

I personally think there are unchartered waters in this area - where it has never been challenged in a court of law.  So I told them - make sure you read and understand policies and procedures and be compliant with them - just to be safe.

In the example of the network password policy.  If it is determined they have created a weak, dictionary type password and the organization finds this out through some sort of ethical means and audits, they would be subject to the disciplinary actions of the policy and procedure including and leading up to termination.  Beyond that - I told them I don't know what would happen.

So if it were by complete freak accident that an employee's password was cracked on the first guess due to a weak password and the password they constructed violates the policy and due to that weak password information was compromised - they questioned whether they  would be or could be held liable.

I told them the only thing I knew for sure - is they would be disciplined in some form - verbal, written or terminated.  But beyond that - I told them - I wasn't sure what would happen.

My whole point in talking with them is to get serious about security, get serious about their passwords, and understand the full weight and gravity of what information and the type of information they are protecting.  I don't think our users really get that.  I don't think they understand they are protecting information - that if compromised could put these clients at risk for identity theft.

I explained to them - not purposefully  - but they would tend to be very hypocritical.  For instance, if their personal information was breached - they would probably be irate and prosecute the offender to the fullest extent of the law possible.  But at the same time, they are protecting the exact same type of information and do not hold themselves to that same high level of scrutiny.  They kind of exempt themselves from that same high standard they would put on others to protect their information.  But when it comes to them protecting it - they will be doing the same weak practices.  Just trying to point out - don't have a hypocritcal double standard you hold others to that you do not apply to yourself.

They are taking it way to lightly.

I have randomly gone through our offices and have found their passwords taped to their monitor!  One employee even taped their username AND password to their monitor.

So it really came down to a discussion - if I can violate one policy and be held liable.  Then what about other policies - could they be held liable and license be at risk.  I told them I really don't know.  I don't think anyone has had a data breach due to a weak password being hacked and gone to court over it.  I told them - the best, safest thing is simply don't find out - be in compliance with our network password policy and password creation and take it seriously.  Don't be lax about it.  Grasp the full weight and gravity of what is at stake - your job, your license, your clients identity, your clients medical information, the organizations reputation, etc.

Hi Christian,

Thanks for the response.  Great insight you have provided.  It is something I have thought about for a while.  I am an IT Department of one.  We have about 10 office sites and around 100 Users/PCs in our organization.  I don't have a lot of internal resources to be able to bounce off of people except for forums like this.

We are in the process of strengthening some of our policies and procedure along with strengthening our security practices.  I have implemented a password change policy for our organization.  Now I am in the process of creating and providing security and awareness training for our employees as well.

So I do give a spill about HIPAA liability.  I let the staff know in the staff meetings I attend in the different divisions and programs that according to certain HIPAA regulations in some aspects they as an employee can be held liable for certain actions.  The liability could be termination of employment.  It could be their licensing board revokes their license (they lose it).  They could be subject to fines and fees.

So we had a discussion about that topic.  Some of our employee are now aware knowing they can be held liable - depending on the circumstance.  That has been proven over and over again with certain HIPAA cases - documented - where they were held liable.

So they asked me about it and I gave them my view point.  Now, I am not legalese in nature either.  I am not an attorney, lawyer what not.  So I told them don't put a whole lot of chalk into what I say - to seek better advice and counsel.

Here is what I explained to them.  When it comes to a HIPAA violation - the policy and procedures would be examined to see if they are HIPAA compliant - if there is such a thing.  Then they will examine what the employee did.  If the employee violated the policy and procedure - then the employee would be held liable.  If the organization can prove they have proper and correct policy and procedures in place and have provided enough security and awareness training - then the organization would not be held liable - but the employee violating the policy and procedure would be held liable.

So I explained to them in our staff meetings - you want to be in full compliance with the organizations policy and procedures to keep your self safe from liability as an employee.  They now get that and understand that.

So the discussion came up with how do you determine how and where liability lies in certain scenarios.

I personally think there are unchartered waters in this area - where it has never been challenged in a court of law.  So I told them - make sure you read and understand policies and procedures and be compliant with them - just to be safe.

In the example of the network password policy.  If it is determined they have created a weak, dictionary type password and the organization finds this out through some sort of ethical means and audits, they would be subject to the disciplinary actions of the policy and procedure including and leading up to termination.  Beyond that - I told them I don't know what would happen.

So if it were by complete freak accident that an employee's password was cracked on the first guess due to a weak password and the password they constructed violates the policy and due to that weak password information was compromised - they questioned whether they  would be or could be held liable.

I told them the only thing I knew for sure - is they would be disciplined in some form - verbal, written or terminated.  But beyond that - I told them - I wasn't sure what would happen.

My whole point in talking with them is to get serious about security, get serious about their passwords, and understand the full weight and gravity of what information and the type of information they are protecting.  I don't think our users really get that.  I don't think they understand they are protecting information - that if compromised could put these clients at risk for identity theft.

I explained to them - not purposefully  - but they would tend to be very hypocritical.  For instance, if their personal information was breached - they would probably be irate and prosecute the offender to the fullest extent of the law possible.  But at the same time, they are protecting the exact same type of information and do not hold themselves to that same high level of scrutiny.  They kind of exempt themselves from that same high standard they would put on others to protect their information.  But when it comes to them protecting it - they will be doing the same weak practices.  Just trying to point out - don't have a hypocritcal double standard you hold others to that you do not apply to yourself.

They are taking it way to lightly.

I have randomly gone through our offices and have found their passwords taped to their monitor!  One employee even taped their username AND password to their monitor.

So it really came down to a discussion - if I can violate one policy and be held liable.  Then what about other policies - could they be held liable and license be at risk.  I told them I really don't know.  I don't think anyone has had a data breach due to a weak password being hacked and gone to court over it.  I told them - the best, safest thing is simply don't find out - be in compliance with our network password policy and password creation and take it seriously.  Don't be lax about it.  Grasp the full weight and gravity of what is at stake - your job, your license, your clients identity, your clients medical information, the organizations reputation, etc.