Welcome to the NEW Community Healthcare User Group ( the new CHUG)— your ultimate destination for insights and discussions at the intersection of healthcare and technology.

Please scroll to the bottom for “Centricity” related topics from the previous forum.

Notifications

Clear all

Quick general security question

General Discussion

Last Post by virtualHITman 6 years ago

4 Posts

4 Users

0 Reactions

108 Views

RSS

tnc

(@tnc)

Posts: 517

Honorable Member

Topic starter

Greetings

If you would be kind enough to share I would like to know what you folks are using for password expiration in your clinics. This comes up from time to time for us where some think that it is happening too frequently so I would like to know what you guys are using for a maximum password age for expiration. Also, if you also know, complexity requirements like special characters, password history, dictionary words or prohibited things like "qwerty" "letmein" or "12345" that may help too.

Thanks in advance for your responses.

Mike Zavolas
Tallahassee Neurological Clinic

Posted : December 5, 2018 4:20 am

SLHV

(@slhv)

Posts: 478

Honorable Member

I'd suggest considering NIST's guidelines if you haven't seen it already. Unfortunately getting buy in to make any changes often proves to be the bigger challenge.

https://pages.nist.gov/800-63-3/sp800-63b.html

Related reference articles:

https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html

https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html

-dp

Posted : December 5, 2018 4:53 am

cecild

(@cecild)

Posts: 314

Reputable Member

Our is setup for 90 days and we implement in the AD domain. We are using the standard windows complexity and I'm not sure if it errors on the above passwords. Letters, numbers, and symbols here.

Posted : December 6, 2018 7:30 am

virtualHITman

(@virtualhitman)

Posts: 319

Reputable Member

Hey Mike,

one recommendation is to go with the concept of a passphrase and get away from all of the complexity requirements that have been used in the past. As you are aware, the frustration many users have with complex password policies is the fact that they are difficult to remember, and the frequency of change only exacerbates this. The likelihood of users writing their passwords down on a post-it note and storing it somewhere near their computer also increases proportionally with password complexity. Here is where you might strike a balance; require users to use a passphrase of a minimum of 10-12 characters and only require them to change it every year. I have attached a briefing on passphrases that you might find helpful.

LessonsLearned_PasswordManagement

Because you will likely have folks objecting to a long passphrase; i.e. it takes too long to login and out of Centricity; you could always suggest a single sign-on solution from Imprivata that allows your staff to tap in and out with a proximity card. Once they see the cost of such solutions, they will gladly agree to use a 10 character passphrase. 🙂

Greg

Posted : December 10, 2018 2:20 am

24 Forums
9,943 Topics
39.9 K Posts
12 Online
6,472 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed