I have something I have been wondering about I wanted to throw out for discusssion.
If your organization has a network password policy that creates the framework for users to create strong passwords, but yet the user still creates a weak password given complexity requirements of the network password policy, if the weak password is cracked, who is liable?
Here is my thought process. According to HIPAA Security and Privacy rule, if there is a data breach, depending on how that breach occurs, it could be the company/organization who is liable but it could also be the employee who is liable. As most of you well know, there are currently doctors, nurses, etc. who have been fired, lossed their license, fined fees/penalties and currently serving jail/prison time for HIPAA violations due to data breaches.
They have to determine who is liable - the company or the employee - but one of them will be liable. Maybe both depending on the case.
So for instance, a doctor who has access to a patients medical record access that medical record without having a need to do so can be fired, lose their license, fined and possibly go to jail for the unauthorized access.
If the organization has the correctly policy and procedures in place that satisifies the HIPAA guidelines and can prove they provided enough, adequate security and awareness training, the organization would not be found liable - but the employee would. The employee would be subject for being fied, losing their license, paying fines and possibly jail.
So following the same thought process. If your organization has a Network Password Policy that provides the framework, guidelines for them to create strong passwords but the employees still chooses to create a weak password meeting your complexity requirements. If their password is cracked and is the cause of a data breach, who would be liable? Would the employee be liable for creating the weak password which violates the Network Password Policy and could they be faced with fines, penalties, etc?
For instance, our Network Password Policy outlines the password complexity requirements and gives specific examples to avoid dictionary type passwords, keyboard sequence passwords, etc. The idea is to create a strong password meeting the complexity requirements. But they could still create a weak, dictionary type password meeting the complexity requirements. They have been instructed to not take a word out of the dictionary and modify it because that is still considered a dictionary password.
Now, not really debating if passwords are the be all, end all solution to stopping or preventing data breaches. Nor am I saying passwords no matter their length and strength can't be hacked or broken into.
Just wanting to know if an employee fails to follow your policy and procedure regarding network passwords and the password is hacked - could the employee be personally liable as in other HIPAA violations they could be held liable for?
The example I give our employees is to through the entire alphabet into a bowl in uppercase letters. Then throw the entire alphabet into the same bowl in lowercase letters. Then through in the number 0-9. Then throw in all punctuation marks. Then throw in all symbols and special characters. Stir and shake the bowl up real good. Reach in and grab 8 to 14 characters and randomly place them in a row in front of you - that is what your password should look like.
This thread was automatically locked due to age.
