Risk: Lack of unique passwords for each member of the workforce. Sharing of passwords.
Access to ePHI is not based on the job function of the workforce.
Explanation: Passwords allow the team to gain access to information systems using ePHI. Each password has to be unique and assigned to individual users. A password given to a user, whether it is system generated or assigned should not be shared with anyone. Users in an organization may require more or less access to ePHI based on their job function and so all users will not need equal access to ePHI.
Major Mitigation: Access to systems containing ePHI should be given to only those individuals who require the access as part of their job function. Additionally the access given to the workforce should be only the minimum access needed for them to carry out their job function. Users should have the privilege to change the passwords and the passwords must be changed periodically so that the passwords are not compromised in any way. Each member of the workforce should be trained on the password protection policies and should be held accountable for slippage.
Secondary Mitigation: The workforce member’s access to ePHI must be periodically reviewed and updates made as their job functions change so as to ensure minimum access to ePHI. Access details must be documented and updated. Periodic audits must be carried out. A sanction policy must be implemented for sharing passwords.
Success Criteria: Reports from the periodic audits will show how the defined policies are carried out and how they are periodically updated. User access logs also can be referred to verify users’ access to ePHI based on their job functions.