Iyfjky

Question

We recently received this email at our work from the HR Department. We work in the healthcare industry and our username and password is linked to everything that we do. We have to follow strict HIPAA guidelines.

Would providing our username and password not be a breach of our privacy? And how do we know that our information will be kept in private and used correctly? Our information could be used to make it look like we did things that we never did.

"I need everyone to email me your username and your password for your Windows log in. These passwords will be kept in a locked file cabinet and not be shared with anyone other than the CEO or COO. Thanks for your prompt response. Have a super Monday afternoon!"

I know this makes us all cringe. Phishing? Really bad IT policies? Just plain sloppiness? Malfeasance? Gross stupidity? All important stuff, but not here. This conversation has been moved to chat. — May 14 '15 at 3:02
related: Our security auditor is an idiot. How do I give him the information he wants? — May 14 '15 at 7:27
In order to be HIPAA compliant your password would have to be forced to be changed within a certain time period (usually 3 months), so this would render all users password data in the cabinet useless after this period. You can of course email the password and then change it yourself immediately afterwards! — May 14 '15 at 9:18
@Llopis yup. It means that any entity in the US that deals with other people's health information/records has very, very strict security and privacy laws they need to comply with. — May 15 '15 at 15:07

score 158 · Answer 1 · 2015-05-14 03:38:05Z

The request is ridiculous on every level.

First how will the manager/HR lock your email in a cabinet? You don't ever ever ever send a sensitive username/password over email. There is a small chance that this could be part of a phishing attack. At best now your boss/HR's computer/laptop is a single point of failure for security at the whole office.

Second how will this manager/HR ensure that no one else would ever have access to this or potentially login as you?

Third, there are many ways with Windows administration that I can override a user's domain account and login to their profile using proper procedures.

To me there are only two reasons why managment would ask for this:

They are so improperly trained and completely inept at technology and security procedures that they feel that this is the "only way" it can be done. This says a lot about your company. Either you have upper management that is literally clueless on how to run an organization that handles sensitive data or they have literally no belief in your IT/tech staff.

It could also be that the IT/tech staff has prevented them to do certain things and having your login allows them to bypass these security measures. Some really well designed applications would not allow for an auto-login if I logged into your profile using domain authentication. So we would need to either have the user's login/pass or reset the user. Either way I cannot feasibly see why upper management would need to login as you to do something without your knowledge.

(Adding this based on a lost author comment) - I wouldn't normally go this far but the author added that she believes their outsourced IT/security department knows about the email and is OK with it. This is a sure sign that either they are very very unfit at their jobs (needing it for a real backup) and if they are that bad there is no way they are adhering to HIPAA standards. Or then most obviously, they are in cahoots with management - using the logins to do "nefarious" practices.

How would I handle this?

I would ask my manager why they need your details. Express your concerns about the privacy (and the HIPAA regulations).

If your manager presses you on this I would then contact HR - they sent the email but start with your manager. Good chance it might not be authorized (or once they see the security issue they will say it wasn't authorized). This is where it gets rough. Because the only group that is usually less technical than managers, is HR (speaking broadly here).

You will need to express your concerns to HR. I would make sure that HR is working with someone in your IT/tech department to make sure this meets security practices at the company. If HR refuses to work with IT/Tech departments you may need to contact someone directly in those departments. If you have a security section I would start with them. If not start with the head of IT.

The last resort is to contact Health and Human Services. You can read that this is probably a direct violation of their technical safeguards here. If no one at your company wants to do anything about the security issue than ask if it is a violation, report your company, and allow them to be educated.

(And I do feel that this is different from asking for your user/pass when you leave the company. I feel that can be justified because if they did anything there would be "timestamp" information that would allow you to be vindicated of wrongdoings. But while you are employed there, this becomes a game of he said/she said or where were you at 10:32 AM on January 5th? And note that with your login I can remotely login to a PC easily at the office you are at for a given day as you.)

Comments are not for extended discussion; this conversation has been moved to chat. — May 14 '15 at 3:07
+1 For reporting your company. HIPAA is no joke (okay, so maybe it is). — May 14 '15 at 16:32
+1 For saving me the 20 minutes it would have taken me to say pretty much the exact same thing. — May 18 '15 at 13:53
I wouldnt even wsnt to send my birthdate via E-Mail. E-Mail is absolute unsecure most of the time. Except when you use good encrypiom or using an company-own network to transmit the data. I also cannot believe that the Department requests such important information via E-Mail without showing up in person. Also they propably already have access to all the data because they have access to the IT dept. — Aug 9 '15 at 22:54
As for username/password on leaving, I'd tell them to reset the password. — Oct 14 '16 at 19:31

score 68 · Answer 2 · 2015-05-14 15:33:10Z

That is a ludicrous request on so many levels in a HIPAA environment.

Should not ask in the first place

Should not email

Should not keep it in a file cabinet

It is a Windows logon

If you have Local logon rather than a Domain then I don't see how you would even be HIPAA compliant in the first place.

In a Domain a Domain Admin can lock an account or change your password.

If a Domain Admin changes your password that is what is logged - there is evidence the password change was not performed by you.

If they don't control your password today then I don't see how they are HIPAA compliant.

Really if you are not on a Domain then devices are not authenticated and that is not HIPAA compliant.

I guess they can ask for it but I suspect the request alone is evidence they are not HIPAA compliant. If you comply with the request then that is likely a HIPAA violation. But if you are complying with verified request from management then I would say the violation is not a something that can be pinned on you. If someone else uses your account you can say hey you made me disclose my password. Prove that email or file cabinet was not compromised. That is such a ludicrous request. Even someone from HR should know better.

Tread carefully. You have done nothing wrong. Even if you you reply you have probably done nothing wrong. If you whistle blow you might lose your job or shut down the company. If they are no damages then you may not even get any money whistle blower. This is not your problem. Don't take the arrows.

Melissa you keep asking why like there is a valid reason. My answer is that from both a HIPAA and technical perspective I see no valid reason. How HR put got in the middle of this is something that only HR, CEO, and COO know. An IT person responsible for compliance would never do this. Again this is not your problem. Let IT take this up with HR. I don't see the risk versus reward in being a whistle blower.

I like how you're worried about device authentication, and we're all still in shock over "File cabinet." You have the soul of a security admin, don't you? +1 — May 13 '15 at 19:18
@WesleyLong I am a programmer now but in early days of HIPPA I did HIPPA compliance. There is no way you are compliant with local logon. I would disable local logon. There is a type of attack that tricks a computer into a local login. — May 13 '15 at 19:21
Eh, I got downvoted, too. So did @Ghost. Probably by someone who has a file cabinet security system sitting next to their desk. I always figure if you didn't make somebody upset, you didn't really say anything useful. — May 13 '15 at 19:22
@mkennedy - HIPAA Health Insurance Portability and Accountability Act . ... aaand I see I got it wrong in one of my comments. — May 13 '15 at 21:56
@Blam - If I were a security auditor, I'd definitely investigate the Windows vs. Domain login, but I'm betting that most don't understand the difference. It's just "How I log in to Windows." It kind of has to be a domain given that the OP says they authenticate in their apps with the same credentials. I'm inferring a lot, but I think that's what's going on. — May 14 '15 at 1:32

score 67 · Answer 3 · 2015-05-14 02:54:16Z

The sound you hear is ten thousand network administrators screaming "NO!" at this post.

At best, this is attempt to see just how gullible you are. I would actually suspect this is the case, as security auditing tests mainly for social exploits, these days.

At worst, this is the sign of completely inept management (I mean thoroughly, as in their parents should have to pay fines for polluting the environment with this stupidity).

In any case, I would NEVER send anyone ANY password that was tied to my identity.

I would forward this email to your IT department with a header, "Obviously no one would ever have a legitimate need to do this, but I thought this should be brought to your attention as an attempted security exploit."

"We know for sure this email is not a scam." - I know for sure that it's either nefarious or stupid beyond reason. I can't tell you which, but I wouldn't comply with either one. I'd still send it to your IT / security group, too. I'm really, really hoping that this is an audit for HIPPA, and not telling me that my health records are in the hands of people this stupid. — May 13 '15 at 18:56
@Melissa : and how are sure the e-mail is legit? Is it digitally signed? If it is just the address, then you should learn how easy it is to fake e-mail address or antedate e-mail. — May 14 '15 at 11:38
Because the lady who sent the email our "HR" thats a joke wants to know why I didn't reply... — May 14 '15 at 12:00
My company actually does internal phishing tests like this periodically to make sure we're all on our A-game. Reply to her with "That's a HIPAA violation" and see if she says "Congratulations!" I think the prospect is bleak based on your comment, but it's worth a shot and will definitely stir the pot the right direction. — May 14 '15 at 15:29
The number of network admins screaming that just grew by another order of magnitude or two, now that this question is on the hot questions list. — May 14 '15 at 22:38

Aaron Hall 4,16312033 · Answer 4 · 2015-05-13 20:36:24Z

This is bad enough at any company but for one that is under HIPAA, it is totally unacceptable (and very possibly illegal). I would suggest you get a copy of the HIPAA regulations, finding the appropriate clauses about data access and send that back instead.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

Note there is a provision that they are allowed to make special provisions for handling emergencies, but it does appear to contradict the section where it states that it must be verifiable that the person logged in is the person it is supposed to be. By sending the information through email, you are likely in violation as there are other people who can access the emails (System administrators) besides the person it is sent to.

If you are under HIPAA, you may have a security officer who is responsible for ensuring HIPAA regulations are followed, if so bring this up to him or her before responding to the boss. This may be the better person to bring up how bad an idea this is.

Jack Aidley 2,279918 · Answer 5 · 2015-05-14 09:11:33Z

I would check your company's IT policy document. I would think it's very likely that it is a specific policy requiring you to not either e-mail or write down your username/password combination.

I would then reply to all citing the regulation and refusing to comply.

Todd Wilcox 1,6111615 · Answer 6 · 2015-05-13 20:34:37Z

Just send in your username and password and then change your password. You should be required to change it every few months or so anyway. If in the future anyone asks why you changed your password, you can say "Oh, I've been told several times that it is a good idea to change my password from time to time, I didn't even think about that piece of paper locked in a cabinet somewhere".

Â«Our internal policy state that we must change the password immediatly if we suspect it may be known by someone else. Thus, following such rule, I proceeded to change it exactly... 1 second after emailing you.Â» The funny thing is that they can't know if what you send is your password or garbage unless they attempt to use it. Which they are supposedly not going to use. — May 13 '15 at 22:57
Shortcut the process - send a previously used password. Then when they ask, "Did you change your password after you sent it?" you can honestly and straightforwardly answer, "No". :-) — May 14 '15 at 1:58

Nathan Goings 27917 · Answer 7 · 2015-05-15 22:58:43Z

I am currently an IT professional in the healthcare industry. I enforce policy that is designed and created by security professionals. These policies are structured on HIPAA. I can retrieve local policy concerning everything in this summary: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Some excerpts:

Administrative Safeguards -> Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.15

Technical Safeguards -> Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24

Password considerations

Passwords must change periodically. This means physically stored passwords would become obsolete.

Your IT professionals have the ability to manage and audit your password. Individually retrieving passwords is far harder than automating the process via administrative controls.

Policy considerations

Based on HIPAA, you should have an appointed security officer and be trained on basic security controls. This would be the correct person to contact concerning this.

Your IT group and security group should have policies detailing controls placed on passwords. These policies are legal documents.

Privacy / HIPAA considerations

Being able to access a Doctor or nurses account is a huge problem by itself. Controls must be in place for "Minimum Necessary Requirements" Your CEO or COO should never have access to patient information that they do not require to perform their job duties. Many arguments and excuses could be made for individual situations, but no argument can be made for an all-inclusive access to all patients and employees.

Having an employee's password would also allow you to alter a chart inappropriately, this is a HIPAA violation.

Asking for all employee's password is not a HIPAA violation due to security auditing concerns. However, storing this information could easily be a violation.

Finally, if a CEO/COO used your account to perform a HIPAA violation, you would be responsible. If you participated in the e-mail, that could be used to mitigate some responsibility. However, you have a responsibility to protect your password, knowingly allowing someone access to your account is just as bad as impersonating someone.

What you should do

Do not provide your password. Review IT policy concerning passwords and access controls. Report the e-mail to your supervisor, appointed security officer, and IT administrator. If management does not respond favorably, your facility might have "anonymous" security hotlines you can complain to. Also, you have the option of complaining via the U.S. Department of Health and Human Services

Unfortunately, when taking the complaint past your management, you might get you suspiciously terminated.

UnhandledExcepSean 1,355817 · Answer 8 · 2015-05-13 18:47:24Z

up vote
2
down vote

You should not provide your username and password and reply back explaining that the security policy prevents you from providing that information and this sounds like a phishing email; CC an internal security team or IT team to make them aware of the email going around.

If it's a legit request and they press the issue further, approach them in-person to discuss and explain why you shouldn't. If they still insist, provide it in-person and not over email.

answered May 13 '15 at 18:47

UnhandledExcepSean

1,355817

We know for sure this email is not a scam. That it is a legit email from our HR department. But once something is done in the system we use it is linked to our name forever.
â€“Â Melissa
May 13 '15 at 18:53

7

I disagree with your last sentence, if they insist keep moving up the chain in-house and if they continue insisting then decide whether you contact HIPPA as mentioned by blankip, resign or both. Under no circumstances, ever, should you disclose your personal authentication credentials to anyone.
â€“Â IllusiveBrian
May 13 '15 at 19:28

1

@Namfuak I'm taking the practical approach. In reality, no one is going to tell the CEO no. And given the choice of keep your job or give us access you your account in our system (nevermind they could change the data behind the scenes all they want to make it look like a person did something), who is going walk out? The company hadn't done anything illegal; the HIPAA link above doesn't say that an employer can't have access to an employee's password and account.
â€“Â UnhandledExcepSean
May 13 '15 at 19:34

suggest improvementsÂ |Â

aramis 1293 · Answer 9 · 2015-05-18 06:51:17Z

Just Say No

HIPAA requires access be limited to those with a need to know. The only way an approved Electronic Health Records system assesses need to know is by who is logged in. HIPAA also requires they log who has accessed electronic records, and who has changed them.

Due to HIPAA and the electronic health records rules, each provider should have a unique identifier, which only that provider can access. This is usually implemented by a combination of object in hand (ID card or RFID) and item you know (password), and for verification, item many people know (account ID). The IT department can easily look up the account ID. The IT department can probably change the password with minimum hassle, (but it gets logged in the system,) and if they do so to access things improperly, it's much easier to point out that your password was changed by someone else. (When you go to log in, you'll discover your password fails, and have to have IT reset it for you. If that happens, it's a warning sign.)

Per the Department of Heath and Human Services' (DHHS) Summary of the HIPAA Security Rule, violations of the security rules are federal crimes. Per the Enforcement Rule page, each unauthorized or illegal access is finable at up to $100, to a maximum of $25,000 per year. If you let someone have your login credentials, and they use them, and it can be tracked back to you, each of you can get hit with the fines. Every record accessed can be fined for each time it's accessed.

No Valid Reason

As noted above, the IT guys, or at least the Electronic Health Records Security Officer, can access your account by use of several methods, but those methods are likely to be logged.

Any legitimate reason to look at records has access already under their own account. Management has no legitimate reason, unless they get approval from the Electronic Health Records Security Officer (EHRSO), and that means they're supposed to have their own log-in.

Physical record of your password for "I forgot" purposes is likewise invalid - the EHRSO can have your password reset. Possibly even IT can reset your password. If you go that route, as soon as possible, you should change your password.

A competent EHRSO can even create a statistical sampling account that shows record numbers but no identification of the patient, so even statistical sampling isn't a valid reason.

Since all your records can be reviewed by the EHRSO, or a person appointed by them, and credentialed with their own login and password, and thus properly logged, reviewing your work is not a valid reason.

Password via email

Sending a password via email is always a bad idea. Especially when it allows access which you can be fined for using inappropriately. Never email your password to anything to anyone, including yourself.

Report this to the ERHSO

Your ERH Security Officer may not be in the loop. If they are, then you've got a big problem with the employer. If not, they may be able to gently educate the higher ups about the situation.

Report to DHHS

If they don't take "no" for an answer, as soon as you're able, contact the Department of Health and Human Services' Office of Civil Rights (DHSS-OCR). Let them know that you have concerns about your log-in credentials being used by your employer to gain unlawful access by management to electronic health records.

This is to do 3 things:

Protect you from both the employer and the DHSS-OCR

Protect your patients' civil rights

Get your employer educated about what they can and cannot do legitimately.

Even if nothing comes of it fine-wise, it gets logged by DHSS-OCR, and future complaints by others will have more ammo. It can take a while.

If you are threatened by your employer, contact your professional licensing division and find out what your state rights and liabilities are. Note also that reporting violations of US Federal regulations is protected under whistle blower laws on the federal level.

Polite but Firm

Remain polite when dealing with the administration. Even if they are asking something illegal, a hostile or vitriolic response may be grounds for termination.

Jason Swett 889288 · Answer 10 · 2015-05-13 20:26:23Z

A boss "can" do pretty much anything, even if it's illegal. As I see it, the only things a boss can't do are the things his or her employees refuse to comply with.

You can also refuse to do anything your boss asks you to do, independently of whether that request is legal, illegal, reasonable or unreasonable. Your boss's request doesn't have to be illegal or whatever for you to decline to comply.

I get the impression you don't think what your boss is asking you for is okay. If you think it's a bad idea, my advice would be not to do it. Or do it and then immediately start looking for another job.

I am refusing to do so, for my privacy safety and the privacy safety of the clients that I have seen in my office. I have already applied to 4 jobs this week :) — May 13 '15 at 20:40
You have no privacy rights on a company-supplied machine, unfortunately. What you do have is company security policy. — May 15 '15 at 13:59

keshlam 41.5k1267144 · Answer 11 · 2015-05-15 01:18:30Z

up vote
0
down vote

The company can require full access to anything you do for them or on their equipment. Asking for your personal password is absolutely the wrong way to handle that, though; they should be able to set up an administrative override on any system if that's really what they want.

If they do so, you should cooperate.

If they don't, but there's a legitimate business emergency that requires access when you can't be there, you should find out what company policy is -- who would have to approve it -- and then change your password as soon as you return and/or the crisis is past.

If there isn't a crisis, it can wait until you can get there.

If it's in a gray area between these, get explicit direction from higher management and/or you company's computer security team. Preferably in writing over a signature.

answered May 15 '15 at 1:18

keshlam

41.5k1267144

1

any quarter competent slightly knowledgeable IT professional should know how to access data from a administrative account if they need to, There should never be a legitimate emergency which requires a user to handover a password. More often then not a users password is used for the purposes of audit-able events ( such as accessing or modifying patient data ), in the event that any form of admin override is used then that can also remain audit-able.. There is no grey area. its incompetence at best and malice at worst.
â€“Â Damian Nikodem
May 15 '15 at 13:29

Incompetence agreed. Odds are that these folks weren't informed enough to arrange for admin access before giving the OP the machine. But short of an emergency, that is what they should be asking for... and in the OP's place, that's what I'd give them, after making sure it was different from my own password and after checking company policy to find out if this individual should have access to my machine at all. Of course the downside of admin access is that one can make a gawdawful mess of the machine if not careful, but that's the responsibility of whoever logs in that way.
â€“Â keshlam
May 15 '15 at 13:56

2

It's more about audit logs than anything else, especially if dealing with patient data. Sure a admin can go in and make a mess, but a admin cannot sign anything as anyone else, that's dangerous, that's really bad. End of the day if something bad happens such as a alteration of data or a data leak when the logs get checked and a admin is scattered throughout a number of patient records that can take personal liability away from the poster, if it's only the posters name all over the logs then they have absolutely no recourse.. Look up glp and the cfr 21 in regards to digital signatures.
â€“Â Damian Nikodem
May 15 '15 at 14:33

suggest improvementsÂ |Â

score 158 · Answer 12 · 2015-05-14 03:38:05Z

The request is ridiculous on every level.

First how will the manager/HR lock your email in a cabinet? You don't ever ever ever send a sensitive username/password over email. There is a small chance that this could be part of a phishing attack. At best now your boss/HR's computer/laptop is a single point of failure for security at the whole office.

Second how will this manager/HR ensure that no one else would ever have access to this or potentially login as you?

Third, there are many ways with Windows administration that I can override a user's domain account and login to their profile using proper procedures.

To me there are only two reasons why managment would ask for this:

They are so improperly trained and completely inept at technology and security procedures that they feel that this is the "only way" it can be done. This says a lot about your company. Either you have upper management that is literally clueless on how to run an organization that handles sensitive data or they have literally no belief in your IT/tech staff.

It could also be that the IT/tech staff has prevented them to do certain things and having your login allows them to bypass these security measures. Some really well designed applications would not allow for an auto-login if I logged into your profile using domain authentication. So we would need to either have the user's login/pass or reset the user. Either way I cannot feasibly see why upper management would need to login as you to do something without your knowledge.

(Adding this based on a lost author comment) - I wouldn't normally go this far but the author added that she believes their outsourced IT/security department knows about the email and is OK with it. This is a sure sign that either they are very very unfit at their jobs (needing it for a real backup) and if they are that bad there is no way they are adhering to HIPAA standards. Or then most obviously, they are in cahoots with management - using the logins to do "nefarious" practices.

How would I handle this?

I would ask my manager why they need your details. Express your concerns about the privacy (and the HIPAA regulations).

If your manager presses you on this I would then contact HR - they sent the email but start with your manager. Good chance it might not be authorized (or once they see the security issue they will say it wasn't authorized). This is where it gets rough. Because the only group that is usually less technical than managers, is HR (speaking broadly here).

You will need to express your concerns to HR. I would make sure that HR is working with someone in your IT/tech department to make sure this meets security practices at the company. If HR refuses to work with IT/Tech departments you may need to contact someone directly in those departments. If you have a security section I would start with them. If not start with the head of IT.

The last resort is to contact Health and Human Services. You can read that this is probably a direct violation of their technical safeguards here. If no one at your company wants to do anything about the security issue than ask if it is a violation, report your company, and allow them to be educated.

(And I do feel that this is different from asking for your user/pass when you leave the company. I feel that can be justified because if they did anything there would be "timestamp" information that would allow you to be vindicated of wrongdoings. But while you are employed there, this becomes a game of he said/she said or where were you at 10:32 AM on January 5th? And note that with your login I can remotely login to a PC easily at the office you are at for a given day as you.)

Comments are not for extended discussion; this conversation has been moved to chat. — May 14 '15 at 3:07
+1 For reporting your company. HIPAA is no joke (okay, so maybe it is). — May 14 '15 at 16:32
+1 For saving me the 20 minutes it would have taken me to say pretty much the exact same thing. — May 18 '15 at 13:53
I wouldnt even wsnt to send my birthdate via E-Mail. E-Mail is absolute unsecure most of the time. Except when you use good encrypiom or using an company-own network to transmit the data. I also cannot believe that the Department requests such important information via E-Mail without showing up in person. Also they propably already have access to all the data because they have access to the IT dept. — Aug 9 '15 at 22:54
As for username/password on leaving, I'd tell them to reset the password. — Oct 14 '16 at 19:31

score 68 · Answer 13 · 2015-05-14 15:33:10Z

That is a ludicrous request on so many levels in a HIPAA environment.

Should not ask in the first place

Should not email

Should not keep it in a file cabinet

It is a Windows logon

If you have Local logon rather than a Domain then I don't see how you would even be HIPAA compliant in the first place.

In a Domain a Domain Admin can lock an account or change your password.

If a Domain Admin changes your password that is what is logged - there is evidence the password change was not performed by you.

If they don't control your password today then I don't see how they are HIPAA compliant.

Really if you are not on a Domain then devices are not authenticated and that is not HIPAA compliant.

I guess they can ask for it but I suspect the request alone is evidence they are not HIPAA compliant. If you comply with the request then that is likely a HIPAA violation. But if you are complying with verified request from management then I would say the violation is not a something that can be pinned on you. If someone else uses your account you can say hey you made me disclose my password. Prove that email or file cabinet was not compromised. That is such a ludicrous request. Even someone from HR should know better.

Tread carefully. You have done nothing wrong. Even if you you reply you have probably done nothing wrong. If you whistle blow you might lose your job or shut down the company. If they are no damages then you may not even get any money whistle blower. This is not your problem. Don't take the arrows.

Melissa you keep asking why like there is a valid reason. My answer is that from both a HIPAA and technical perspective I see no valid reason. How HR put got in the middle of this is something that only HR, CEO, and COO know. An IT person responsible for compliance would never do this. Again this is not your problem. Let IT take this up with HR. I don't see the risk versus reward in being a whistle blower.

I like how you're worried about device authentication, and we're all still in shock over "File cabinet." You have the soul of a security admin, don't you? +1 — May 13 '15 at 19:18
@WesleyLong I am a programmer now but in early days of HIPPA I did HIPPA compliance. There is no way you are compliant with local logon. I would disable local logon. There is a type of attack that tricks a computer into a local login. — May 13 '15 at 19:21
Eh, I got downvoted, too. So did @Ghost. Probably by someone who has a file cabinet security system sitting next to their desk. I always figure if you didn't make somebody upset, you didn't really say anything useful. — May 13 '15 at 19:22
@mkennedy - HIPAA Health Insurance Portability and Accountability Act . ... aaand I see I got it wrong in one of my comments. — May 13 '15 at 21:56
@Blam - If I were a security auditor, I'd definitely investigate the Windows vs. Domain login, but I'm betting that most don't understand the difference. It's just "How I log in to Windows." It kind of has to be a domain given that the OP says they authenticate in their apps with the same credentials. I'm inferring a lot, but I think that's what's going on. — May 14 '15 at 1:32

score 67 · Answer 14 · 2015-05-14 02:54:16Z

The sound you hear is ten thousand network administrators screaming "NO!" at this post.

At best, this is attempt to see just how gullible you are. I would actually suspect this is the case, as security auditing tests mainly for social exploits, these days.

At worst, this is the sign of completely inept management (I mean thoroughly, as in their parents should have to pay fines for polluting the environment with this stupidity).

In any case, I would NEVER send anyone ANY password that was tied to my identity.

I would forward this email to your IT department with a header, "Obviously no one would ever have a legitimate need to do this, but I thought this should be brought to your attention as an attempted security exploit."

"We know for sure this email is not a scam." - I know for sure that it's either nefarious or stupid beyond reason. I can't tell you which, but I wouldn't comply with either one. I'd still send it to your IT / security group, too. I'm really, really hoping that this is an audit for HIPPA, and not telling me that my health records are in the hands of people this stupid. — May 13 '15 at 18:56
@Melissa : and how are sure the e-mail is legit? Is it digitally signed? If it is just the address, then you should learn how easy it is to fake e-mail address or antedate e-mail. — May 14 '15 at 11:38
Because the lady who sent the email our "HR" thats a joke wants to know why I didn't reply... — May 14 '15 at 12:00
My company actually does internal phishing tests like this periodically to make sure we're all on our A-game. Reply to her with "That's a HIPAA violation" and see if she says "Congratulations!" I think the prospect is bleak based on your comment, but it's worth a shot and will definitely stir the pot the right direction. — May 14 '15 at 15:29
The number of network admins screaming that just grew by another order of magnitude or two, now that this question is on the hot questions list. — May 14 '15 at 22:38

Aaron Hall 4,16312033 · Answer 15 · 2015-05-13 20:36:24Z

This is bad enough at any company but for one that is under HIPAA, it is totally unacceptable (and very possibly illegal). I would suggest you get a copy of the HIPAA regulations, finding the appropriate clauses about data access and send that back instead.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

Note there is a provision that they are allowed to make special provisions for handling emergencies, but it does appear to contradict the section where it states that it must be verifiable that the person logged in is the person it is supposed to be. By sending the information through email, you are likely in violation as there are other people who can access the emails (System administrators) besides the person it is sent to.

If you are under HIPAA, you may have a security officer who is responsible for ensuring HIPAA regulations are followed, if so bring this up to him or her before responding to the boss. This may be the better person to bring up how bad an idea this is.

Jack Aidley 2,279918 · Answer 16 · 2015-05-14 09:11:33Z

I would check your company's IT policy document. I would think it's very likely that it is a specific policy requiring you to not either e-mail or write down your username/password combination.

I would then reply to all citing the regulation and refusing to comply.

Todd Wilcox 1,6111615 · Answer 17 · 2015-05-13 20:34:37Z

Just send in your username and password and then change your password. You should be required to change it every few months or so anyway. If in the future anyone asks why you changed your password, you can say "Oh, I've been told several times that it is a good idea to change my password from time to time, I didn't even think about that piece of paper locked in a cabinet somewhere".

Â«Our internal policy state that we must change the password immediatly if we suspect it may be known by someone else. Thus, following such rule, I proceeded to change it exactly... 1 second after emailing you.Â» The funny thing is that they can't know if what you send is your password or garbage unless they attempt to use it. Which they are supposedly not going to use. — May 13 '15 at 22:57
Shortcut the process - send a previously used password. Then when they ask, "Did you change your password after you sent it?" you can honestly and straightforwardly answer, "No". :-) — May 14 '15 at 1:58

Nathan Goings 27917 · Answer 18 · 2015-05-15 22:58:43Z

I am currently an IT professional in the healthcare industry. I enforce policy that is designed and created by security professionals. These policies are structured on HIPAA. I can retrieve local policy concerning everything in this summary: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Some excerpts:

Administrative Safeguards -> Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.15

Technical Safeguards -> Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24

Password considerations

Passwords must change periodically. This means physically stored passwords would become obsolete.

Your IT professionals have the ability to manage and audit your password. Individually retrieving passwords is far harder than automating the process via administrative controls.

Policy considerations

Based on HIPAA, you should have an appointed security officer and be trained on basic security controls. This would be the correct person to contact concerning this.

Your IT group and security group should have policies detailing controls placed on passwords. These policies are legal documents.

Privacy / HIPAA considerations

Being able to access a Doctor or nurses account is a huge problem by itself. Controls must be in place for "Minimum Necessary Requirements" Your CEO or COO should never have access to patient information that they do not require to perform their job duties. Many arguments and excuses could be made for individual situations, but no argument can be made for an all-inclusive access to all patients and employees.

Having an employee's password would also allow you to alter a chart inappropriately, this is a HIPAA violation.

Asking for all employee's password is not a HIPAA violation due to security auditing concerns. However, storing this information could easily be a violation.

Finally, if a CEO/COO used your account to perform a HIPAA violation, you would be responsible. If you participated in the e-mail, that could be used to mitigate some responsibility. However, you have a responsibility to protect your password, knowingly allowing someone access to your account is just as bad as impersonating someone.

What you should do

Do not provide your password. Review IT policy concerning passwords and access controls. Report the e-mail to your supervisor, appointed security officer, and IT administrator. If management does not respond favorably, your facility might have "anonymous" security hotlines you can complain to. Also, you have the option of complaining via the U.S. Department of Health and Human Services

Unfortunately, when taking the complaint past your management, you might get you suspiciously terminated.

UnhandledExcepSean 1,355817 · Answer 19 · 2015-05-13 18:47:24Z

up vote
2
down vote

You should not provide your username and password and reply back explaining that the security policy prevents you from providing that information and this sounds like a phishing email; CC an internal security team or IT team to make them aware of the email going around.

If it's a legit request and they press the issue further, approach them in-person to discuss and explain why you shouldn't. If they still insist, provide it in-person and not over email.

answered May 13 '15 at 18:47

UnhandledExcepSean

1,355817

We know for sure this email is not a scam. That it is a legit email from our HR department. But once something is done in the system we use it is linked to our name forever.
â€“Â Melissa
May 13 '15 at 18:53

7

I disagree with your last sentence, if they insist keep moving up the chain in-house and if they continue insisting then decide whether you contact HIPPA as mentioned by blankip, resign or both. Under no circumstances, ever, should you disclose your personal authentication credentials to anyone.
â€“Â IllusiveBrian
May 13 '15 at 19:28

1

@Namfuak I'm taking the practical approach. In reality, no one is going to tell the CEO no. And given the choice of keep your job or give us access you your account in our system (nevermind they could change the data behind the scenes all they want to make it look like a person did something), who is going walk out? The company hadn't done anything illegal; the HIPAA link above doesn't say that an employer can't have access to an employee's password and account.
â€“Â UnhandledExcepSean
May 13 '15 at 19:34

suggest improvementsÂ |Â

aramis 1293 · Answer 20 · 2015-05-18 06:51:17Z

Just Say No

HIPAA requires access be limited to those with a need to know. The only way an approved Electronic Health Records system assesses need to know is by who is logged in. HIPAA also requires they log who has accessed electronic records, and who has changed them.

Due to HIPAA and the electronic health records rules, each provider should have a unique identifier, which only that provider can access. This is usually implemented by a combination of object in hand (ID card or RFID) and item you know (password), and for verification, item many people know (account ID). The IT department can easily look up the account ID. The IT department can probably change the password with minimum hassle, (but it gets logged in the system,) and if they do so to access things improperly, it's much easier to point out that your password was changed by someone else. (When you go to log in, you'll discover your password fails, and have to have IT reset it for you. If that happens, it's a warning sign.)

Per the Department of Heath and Human Services' (DHHS) Summary of the HIPAA Security Rule, violations of the security rules are federal crimes. Per the Enforcement Rule page, each unauthorized or illegal access is finable at up to $100, to a maximum of $25,000 per year. If you let someone have your login credentials, and they use them, and it can be tracked back to you, each of you can get hit with the fines. Every record accessed can be fined for each time it's accessed.

No Valid Reason

As noted above, the IT guys, or at least the Electronic Health Records Security Officer, can access your account by use of several methods, but those methods are likely to be logged.

Any legitimate reason to look at records has access already under their own account. Management has no legitimate reason, unless they get approval from the Electronic Health Records Security Officer (EHRSO), and that means they're supposed to have their own log-in.

Physical record of your password for "I forgot" purposes is likewise invalid - the EHRSO can have your password reset. Possibly even IT can reset your password. If you go that route, as soon as possible, you should change your password.

A competent EHRSO can even create a statistical sampling account that shows record numbers but no identification of the patient, so even statistical sampling isn't a valid reason.

Since all your records can be reviewed by the EHRSO, or a person appointed by them, and credentialed with their own login and password, and thus properly logged, reviewing your work is not a valid reason.

Password via email

Sending a password via email is always a bad idea. Especially when it allows access which you can be fined for using inappropriately. Never email your password to anything to anyone, including yourself.

Report this to the ERHSO

Your ERH Security Officer may not be in the loop. If they are, then you've got a big problem with the employer. If not, they may be able to gently educate the higher ups about the situation.

Report to DHHS

If they don't take "no" for an answer, as soon as you're able, contact the Department of Health and Human Services' Office of Civil Rights (DHSS-OCR). Let them know that you have concerns about your log-in credentials being used by your employer to gain unlawful access by management to electronic health records.

This is to do 3 things:

Protect you from both the employer and the DHSS-OCR

Protect your patients' civil rights

Get your employer educated about what they can and cannot do legitimately.

Even if nothing comes of it fine-wise, it gets logged by DHSS-OCR, and future complaints by others will have more ammo. It can take a while.

If you are threatened by your employer, contact your professional licensing division and find out what your state rights and liabilities are. Note also that reporting violations of US Federal regulations is protected under whistle blower laws on the federal level.

Polite but Firm

Remain polite when dealing with the administration. Even if they are asking something illegal, a hostile or vitriolic response may be grounds for termination.

Jason Swett 889288 · Answer 21 · 2015-05-13 20:26:23Z

A boss "can" do pretty much anything, even if it's illegal. As I see it, the only things a boss can't do are the things his or her employees refuse to comply with.

You can also refuse to do anything your boss asks you to do, independently of whether that request is legal, illegal, reasonable or unreasonable. Your boss's request doesn't have to be illegal or whatever for you to decline to comply.

I get the impression you don't think what your boss is asking you for is okay. If you think it's a bad idea, my advice would be not to do it. Or do it and then immediately start looking for another job.

I am refusing to do so, for my privacy safety and the privacy safety of the clients that I have seen in my office. I have already applied to 4 jobs this week :) — May 13 '15 at 20:40
You have no privacy rights on a company-supplied machine, unfortunately. What you do have is company security policy. — May 15 '15 at 13:59

keshlam 41.5k1267144 · Answer 22 · 2015-05-15 01:18:30Z

up vote
0
down vote

The company can require full access to anything you do for them or on their equipment. Asking for your personal password is absolutely the wrong way to handle that, though; they should be able to set up an administrative override on any system if that's really what they want.

If they do so, you should cooperate.

If they don't, but there's a legitimate business emergency that requires access when you can't be there, you should find out what company policy is -- who would have to approve it -- and then change your password as soon as you return and/or the crisis is past.

If there isn't a crisis, it can wait until you can get there.

If it's in a gray area between these, get explicit direction from higher management and/or you company's computer security team. Preferably in writing over a signature.

answered May 15 '15 at 1:18

keshlam

41.5k1267144

1

any quarter competent slightly knowledgeable IT professional should know how to access data from a administrative account if they need to, There should never be a legitimate emergency which requires a user to handover a password. More often then not a users password is used for the purposes of audit-able events ( such as accessing or modifying patient data ), in the event that any form of admin override is used then that can also remain audit-able.. There is no grey area. its incompetence at best and malice at worst.
â€“Â Damian Nikodem
May 15 '15 at 13:29

Incompetence agreed. Odds are that these folks weren't informed enough to arrange for admin access before giving the OP the machine. But short of an emergency, that is what they should be asking for... and in the OP's place, that's what I'd give them, after making sure it was different from my own password and after checking company policy to find out if this individual should have access to my machine at all. Of course the downside of admin access is that one can make a gawdawful mess of the machine if not careful, but that's the responsibility of whoever logs in that way.
â€“Â keshlam
May 15 '15 at 13:56

2

It's more about audit logs than anything else, especially if dealing with patient data. Sure a admin can go in and make a mess, but a admin cannot sign anything as anyone else, that's dangerous, that's really bad. End of the day if something bad happens such as a alteration of data or a data leak when the logs get checked and a admin is scattered throughout a number of patient records that can take personal liability away from the poster, if it's only the posters name all over the logs then they have absolutely no recourse.. Look up glp and the cfr 21 in regards to digital signatures.
â€“Â Damian Nikodem
May 15 '15 at 14:33

suggest improvementsÂ |Â

Category

Random preview

Can HR/Boss Require Your Username and Password?

11 Answers 11

Password considerations

Policy considerations

Privacy / HIPAA considerations

Just Say No

No Valid Reason

Password via email

Report this to the ERHSO

Report to DHHS

Polite but Firm

Your Answer

Sign up or log in

Post as a guest

Post as a guest

11 Answers 11

11 Answers 11

Password considerations

Policy considerations

Privacy / HIPAA considerations

Password considerations

Policy considerations

Privacy / HIPAA considerations

Password considerations

Policy considerations

Privacy / HIPAA considerations

Password considerations

Policy considerations

Privacy / HIPAA considerations

Just Say No

No Valid Reason

Password via email

Report this to the ERHSO

Report to DHHS

Polite but Firm

Just Say No

No Valid Reason

Password via email

Report this to the ERHSO

Report to DHHS

Polite but Firm

Just Say No

No Valid Reason

Password via email

Report this to the ERHSO

Report to DHHS

Polite but Firm

Just Say No

No Valid Reason

Password via email

Report this to the ERHSO

Report to DHHS

Polite but Firm

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

List of Gilmore Girls characters

Confectionery

11 Answers
11

11 Answers
11

11 Answers
11