How Secure Is Your Password – Doctor?

Join Our Mailing List

Tips on using strong passwords 

[Securing yourself from a world of hackers]

By Shahid N. Shah MS

Shahid N. Shah MS

What is at Risk?

Here are some specific tools, gadgets, cloud servers, EHRs and other reasons you should secure your PWs:

  • Fax Server – a fax server allows you to centrally manage all incoming and outgoing faxes. Since most medical practices live on fax, this is one of the fastest investments you can recoup.
  • Shared drives – start using shared drives either using your existing software or you can purchase inexpensive “network disks” for a few hundred dollars to share business forms, online directories, reports, scanned charts, and many other files.
  • Online backups and Internet PACS storage – there are online tools like that allow you to store gigabytes of encrypted data into the Internet “cloud” for just a few dollars a month.
  • E-mail (beware of HIPAA, though) – internal office messaging and email is a great place to start. If you haven’t started your office automation journey here you should. If you’re going to use it for patient communications you’ll need to make sure you have patient approvals and appropriate encryption. If you’re on Gmail today and you want to have customers immediately be able to communicate with you on Gmail, that’s generally HIPAA compliant because communications between two Gmail accounts stays within the Google data center and is not sent unencrypted over the Internet.
  • E-Prescribing – e-prescribing is a great place to start your automation journey because it’s a fast way to realize how much slower the digital process is in capturing clinical data. If e-prescribing alone makes you slower in your job, EMRs will likely affect you even more. If you’re productive with e-prescribing then EMRs in general will make you more productive too.
  • Office Online and Google Apps (scheduling, document sharing) – Google and Microsoft® have some very nice online tools for managing contacts (your patients are contacts), scheduling (appointments), dirt simple document management, and getting everyone in the office “on the same page”. Before you jump into full-fledged EMRs see if these basic free tools can do the job for you.
  • Modular clinical groupware – this is a new category of software that allows you to collaborate with colleagues on your most time-consuming or most-needy patients and leave the remainder of them as-is. By automating what’s taking the most of your time you don’t worry about the majority of patients who aren’t.
  • Patient registry and CCR bulletin boards – if you’re just looking for basic patient population management and not detailed office automation then patient registries and CCR databases are a great start. These don’t help with workflow but they do manage patient summaries.
  • Document imaging – scanning and storing your paper documents is something that affects everyone; all scanners come with some basic imaging software that you can use for free. Once you’re good at scanning and paper digitization you can move to “medical grade” document managements that can improve productivity even more.


  • Clinical content repository (CMS) – open source systems like and do a great job of content management and they can be adapted to do clinical content management.
  • Electronic lab reporting – if labs are taking up most of your time, you can automate that pretty easily with web-based lab reporting systems.
  • Electronic transcription – if clinical note taking is taking most of your time, you can automate that by using electronic transcribing.
  • Speech recognition – another “point solution” to helping with capturing clinical notes; you can get a system up and running for under $250.
  • Instant Messaging (IM) – IM gives you the ability to connect directly with multiple rooms within your office using free software; if you want, you can also connect with patients and other physicians during work hours.

How to avoid the most common and dangerous passwords?






Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:


Product DetailsProduct DetailsProduct Details

3 Responses

  1. Lack of Unique PW Risks:

    Lack of unique passwords for each member of the workforce. Sharing of passwords. Access to ePHI is not based on the job function of the workforce.

    Explanation: Passwords allow the team to gain access to information systems using ePHI. Each password has to be unique and assigned to individual users. A password given to a user, whether it is system generated or assigned should not be shared with anyone. Users in an organization may require more or less access to ePHI based on their job function and so all users will not need equal access to ePHI.

    Major Mitigation: Access to systems containing ePHI should be given to only those individuals who require the access as part of their job function. Additionally the access given to the workforce should be only the minimum access needed for them to carry out their job function. Users should have the privilege to change the passwords and the passwords must be changed periodically so that the passwords are not compromised in any way. Each member of the workforce should be trained on the password protection policies and should be held accountable for slippage.

    Secondary Mitigation: The workforce member’s access to ePHI must be periodically reviewed and updations made as their job functions change so as to ensure minimum access to ePHI. Access details must be documented and updated. Periodic audits must be carried out. A sanction policy must be implemented for sharing passwords.

    Success criteria: Reports from the periodic audits will show how the defined policies are carried out and how they are periodically updated. User access logs also can be referred to verify users’ access to ePHI based on their job functions.

    Shahid N. Shah MS


  2. Healthcare Cyber Crime

    A rise in cyber attacks against doctors and hospitals is costing the U.S. health-care system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records, security researchers say.



  3. Cyber Update

    “Cyber criminals turn to ransomware as victims pay out.” By Lara Lackie for IT ProPortal, January 26, 2016.

    “With so many victims paying out, it is no wonder that ransomware is becoming more and more attractive to cyber criminals. Once files are encrypted, you’d better hope your backups are secure and up to date, or pay the fine and keep your fingers crossed that the files will be decrypted!” – James Miller, Managing Director at Foursys, which shared the results of an IT Security Survey.

    For HIPAA-covered entities it gets worse:

    “Cyberthugs targeting companies with ransomware based on extortion amount for data.” By Ms. Smith for Network World, January 26, 2016.

    “As if the steady rise of ransomware isn’t alarming enough, businesses that get hit with ransomware may not be unlucky targets of opportunity, but targets of choice as cyberthugs are setting ransom demands based on how much valuable data a business has.”

    Cyberthugs are aware that no personal data is more valuable than medical records. Count on it.

    Back up. Back up. Back up. Back up. Back up. Back up. Back up. Back up. Back up.

    D. Kellus Pruitt DDS


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: