Each practice team member should only have access to the necessary systems and information to enable them to perform their role in the practice. Your practice needs to establish and monitor authorised access to health information. Your practice team should have access to appropriate training in the relevant software and on potential risks before access and passwords are provided.
Passwords are the most common form of access authentication. Password management can be complex as users often have multiple passwords to access various systems. Your practice team needs to be aware that most software will allow new passwords to be generated if they are forgotten, so it causes an unnecessary risk to your information security to keep a written record of passwords.
Your information systems should be set up to generate audit logs providing details of who is accessing, downloading, changing and deleting information. The audit logs should be reviewed periodically and retained in case information is required following an information security incident.
C6.4 C Our practice’s clinical software is accessible only via unique individual passwords that give access to information according to the person’s level of authorisation.
Create a policy
Your practice should develop a policy specifying who has administration rights and access to specific systems. Access to systems should be consistent with the responsibilities outlined in the position description of your practice team members.
Your policy should cover:
- password security to ensure passwords are not written down and placed near practice monitors
- how often passwords are changed – the longer the same password is used, the greater the risk it will become known and used inappropriately
- who in the practice team has the authority to reset or disable user passwords
- restriction of who in the practice team can create and remove users on each practice information system
- a process for recording different access levels and software access for your practice team members
- an established password structure (numbers, characters and symbols)
- each practice team member creating their own password and being responsible for keeping these secure
- not using a shared common password
- the need for passwords to be changed immediately if they have been or are suspected to have been compromised
- the implications when practice team members terminate their employment. Ensure these accounts are deactivated, remote access disabled, and computer equipment, backup media and any access devices (such as keys or entry swipe cards) as well as practice name badges are returned.
Tips for software password settings
Most software will allow password requirements to be set up so all users can create safe and secure individual passwords. Software can be configured to require:
- default user account passwords be changed on first login to the system
- a minimum password length (ie number of characters)
- a mixture of alphabetic (lower and upper case) and numeric characters, and symbols
- passwords do not use familiar and family names or words that can be found in a dictionary
- passwords should be set to expire to enforce periodic changes
- dates of birth are not used
- passwords are not reused
- two-factor authentication method (a combination of two types of authentication) if appropriate for your practice
- how automatic password saving is addressed in browsers and if this is disabled across the practice network.