This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Passwords

I have something I have been wondering about I wanted to throw out for discusssion.

If your organization has a network password policy that creates the framework for users to create strong passwords, but yet the user still creates a weak password given complexity requirements of the network password policy, if the weak password is cracked, who is liable?

Here is my thought process.  According to HIPAA Security and Privacy rule, if there is a data breach, depending on how that breach occurs, it could be the company/organization who is liable but it could also be the employee who is liable.  As most of you well know, there are currently doctors, nurses, etc. who have been fired, lossed their license, fined fees/penalties and currently serving jail/prison time for HIPAA violations due to data breaches.

They have to determine who is liable - the company or the employee - but one of them will be liable.  Maybe both depending on the case.

So for instance, a doctor who has access to a patients medical record access that medical record without having a need to do so can be fired, lose their license, fined and possibly go to jail for the unauthorized access.

If the organization has the correctly policy and procedures in place that satisifies the HIPAA guidelines and can prove they provided enough, adequate security and awareness training, the organization would not be found liable - but the employee would.  The employee would be subject for being fied, losing their license, paying fines and possibly jail.

So following the same thought process.  If your organization has a Network Password Policy that provides the framework, guidelines for them to create strong passwords but the employees still chooses to create a weak password meeting your complexity requirements.  If their password is cracked and is the cause of a data breach, who would be liable?  Would the employee be liable for creating the weak password which violates the Network Password Policy and could they be faced with fines, penalties, etc?

For instance, our Network Password Policy outlines the password complexity requirements and gives specific examples to avoid dictionary type passwords, keyboard sequence passwords, etc.  The idea is to create a strong password meeting the complexity requirements.  But they could still create a weak, dictionary type password meeting the complexity requirements.  They have been instructed to not take a word out of the dictionary and modify it because that is still considered a dictionary password.

Now, not really debating if passwords are the be all, end all solution to stopping or preventing data breaches.  Nor am I saying passwords no matter their length and strength can't be hacked or broken into.

Just wanting to know if an employee fails to follow your policy and procedure regarding network passwords and the password is hacked - could the employee be personally liable as in other HIPAA violations they could be held liable for?

The example I give our employees is to through the entire alphabet into a bowl in uppercase letters.  Then throw the entire alphabet into the same bowl in lowercase letters.  Then through in the number 0-9.  Then throw in all punctuation marks.  Then throw in all symbols and special characters.  Stir and shake the bowl up real good.  Reach in and grab 8 to 14 characters and randomly place them in a row in front of you - that is what your password should look like.

:25655


This thread was automatically locked due to age.
Parents
  • Unless I've overlooked it it doesn't say where the data resided and whether the weak password was directly related to the (encrypted) data or used to gain access to the system. I also wonder - why was Utah's DOH "chosen"? Unless there was a specific reason for targeting this institution it could have been either by chance or (semi-)automated attack. Even if it was "manual by chance" - if the attack was "via the Internet" the hacker probably used some tools to apply the "password guessing". Shouldn't have been as easy as guessing an account/password combination, slipping in and then dumping hundreds of thousands records to some obscure location. You shouldn't be able to attack a password on-line - so while the attack was (allegedly) ultimately successful because of the weak password there was probably also more than one weakness "along the path".

    If it is not a really determined attack and any single failure (like a weak password) shouldn't allow access to your data. You encrypt your data in case someone gets unauthorized access to the data on disk - but then the weak password shouldn't come into play. OTOH a single password shouldn't you get as far as hundreds of thousands of records. Consider the lock to your company's vault - even if it's easily pickable an occasional visitor shouldn't be able to get near it at all. But I know it's much easier said than done.

    Christian

    :25923
Reply
  • Unless I've overlooked it it doesn't say where the data resided and whether the weak password was directly related to the (encrypted) data or used to gain access to the system. I also wonder - why was Utah's DOH "chosen"? Unless there was a specific reason for targeting this institution it could have been either by chance or (semi-)automated attack. Even if it was "manual by chance" - if the attack was "via the Internet" the hacker probably used some tools to apply the "password guessing". Shouldn't have been as easy as guessing an account/password combination, slipping in and then dumping hundreds of thousands records to some obscure location. You shouldn't be able to attack a password on-line - so while the attack was (allegedly) ultimately successful because of the weak password there was probably also more than one weakness "along the path".

    If it is not a really determined attack and any single failure (like a weak password) shouldn't allow access to your data. You encrypt your data in case someone gets unauthorized access to the data on disk - but then the weak password shouldn't come into play. OTOH a single password shouldn't you get as far as hundreds of thousands of records. Consider the lock to your company's vault - even if it's easily pickable an occasional visitor shouldn't be able to get near it at all. But I know it's much easier said than done.

    Christian

    :25923
Children
No Data