Would a decision to collect and store Windows domain usernames and passwords of all employees (IT inclusive) in a company bound by HIPAA regulations constitute a potential violation of those regulations? All employees have access to HIPAA-sensitive information.
Before jumping into the HIPAA arena, let's begin by stating these foundational security principles:
- Deny access by default.
- Only give access to those with a demonstrated need to know.
As the second sentence of your question states that all employees have access to HIPAA-sensitive information, the first step in this process is to examine if that is necessarily the case.
Essentially, going back to the foundational principles I noted above, my question is: Why do all these employees need access to HIPAA-sensitive information? Secondly, if they do, what are the policies, procedures and expectations for the employees surrounding their access to this information? Essentially, how can you be sure you are protecting the company from any abuse of this access by way of administrative, logical and physical controls?
Back to your question, I would need to have a better understanding of the surrounding circumstances. For instance, your Active Directory program definitely maintains domain usernames for all users, so part of the information in question is already stored.
So, the question becomes: Why is there a need to store user passwords? If an employee forgets his or her password, there should be an established process to allow for controlled reset, rather than a spreadsheet of sensitive credentials.
So, I'm not sure that collecting the passwords and usernames is necessarily a violation of HIPAA; however, when considering HIPAA password policy best practices, having username/password combinations stored together could be a violation, or could lead to a violation if such information fell into the wrong hands. This should be reviewed immediately by your security officer and possibly by legal counsel (i.e., your expert HIPAA attorney).
Dig deeper on Password Management and Policy
Related Q&A from Ernie Hayden, Contributor
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video.continue reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities.continue reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.