Features Navigation

Live Chat (800) 825-0224 Live Demo

← Back

New Password Security Guidelines Released

Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

National Institute of Standards and Technology (NIST) released NIST Special Publication 800-63B Digital Identity Guidelines. The new guidelines represent some significant changes to password management. There are three significant changes.

1: Remove Periodic Password Change Requirements

The thought behind the requirement to implement frequent password changes is that this would increase the security of passwords. This does not really work due to how most people change their passwords. For example, if your current Password is PASSWORD when a user is required to change their password the user usually would change it to PASSWORD1, and the next time they need to change the password, it becomes PASSWORD2.

Changes to the password of this nature do not really improve security, so NIST has removed the recommendation that systems require periodic password changes. These changes only create busy work for users and do not improve security of the passwords.

2: Require Length and Remove Password Complexity

The thought was that requiring Uppercase letters, Lowercase letters, numbers, and symbols increased the complexity of a password and made it more difficult to break the password.

Passwords that had these requirements resulted in user frustration and caused users to select predictable patterns that worked against security. Research determined that, when a capital letter was required in an extremely high number of cases, that character will be the first character for a human derived password. If symbols or numbers are required, those will tend to be appended to the end of a password merely to satisfy the requirement.

A password that is 12 characters long that does not require this combination of characters is more complex than an 8-character password that requires the combination of characters. Therefore, a password that is 12 characters long is simply more secure.

3: Implement Screening of New Passwords

We have always verbally told people not to use dictionary words, names, birthdates, or repeating characters. This is still true, NIST now recommends that software implement tools that screen passwords for these patterns and to not allow users to select passwords that have these features that can compromise the security of the passwords.

TLD Systems has one more recommendation that is not part of the NIST Guidelines. You should monitor your account for data breaches. In the past week data breaches were announced by both Facebook and LinkedIn. If you learn of a data breach that involves an account of yours, then you should change your password immediately. TLD Systems is in the process of implementing changes to its system to reflect the new guidelines.

Should you have any questions about password security please feel free to reach out to TLD Systems via phone at (631) 403 6687, via email [email protected], or visit tldsystems.com.

Michael Brody, DPM
Dr Brody has been actively involved in Computers and Medicine since the 1980’s. Dr Brody as a Residency Director at a VA hospital on Long Island and was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees need to adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)


Other Resources Related to This Topic

No results found

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›