You can find more best practices for HIPAA passwords in this article. (*) HIPAA does not stipulate minimum password strengths, but it is a business´s best interests to enforce policies requiring passwords to be of a minimum length and complexity. These include (but are not limited to) Role-Based Access Controls, Active Directory integration, password audits (*), and advanced reporting capabilities that satisfy the requirements for activity reporting. With regards to administering users and complying with the Security Rule safeguards, the RoboForm business plan includes a series of features that simplify corporate password management. It also supports the use of unique complex passwords for each account to mitigate the risk of a data breach attributable to a brute force attack. This has advantages for businesses inasmuch as passwords for corporate accounts can be shared securely among teams across all devices without businesses having to consider who is using which browser or what type of device. This means that rather than browser-based password managers (i.e., Chrome) that only save passwords in one browser brand, or operating system-based password managers (i.e., Apple Keychain) that only save passwords in one OS type, users can access passwords from any Internet-connected device regardless of the browser or operating system. RoboForm is a vault-based password manager. However, if the business did not use the platform for storing or sharing PHI, RoboForm can be a cost-effective way to enhance the security of online accounts. Therefore, if a business was to deploy a RoboForm password manager in a health care environment, they would not be able to store PHI on the platform or use it to share health information – even via the secure messaging feature. RoboForm falls into the “decline to say” category, so it is safe to assume they won´t. However, most vendors of vault-based password managers will not, or decline to say, whether they will enter into a Business Associate Agreement – a requirement of HIPAA even when the vendor cannot view any PHI because it is encrypted and the vendor does not have the decryption key. Most vault-based password managers include these capabilities in their business subscription plans – including RoboForm. These include access controls, user verification, activity reporting, and automatic logoff. The HIPAA Security Rule includes a number of safeguards that apply to password managers if they are going to be used to store or share Protected Health Information (PHI). Consequently, some features mentioned in this review may not be relevant for other, non-regulated businesses. We generally try to keep updates to about once a month.This RoboForm review has been compiled from the perspective of a HIPAA Covered Entity or Business Associate required to comply with the safeguards of the Security Rule. As far as the frequency of updates, RoboForm is actively updated and developed with new features and improvements. We have found that folks get very distressed when this occurs to them, and so we do want to try and minimize such occurrences. As such, were you to be unable to recall your Master Password we would have no way to get you back into your account without it. One of the reasons that RoboForm is so secure is because we do not have the key to your data aka your Master Password. Entering it periodically has been found to reduce a much greater inconvenience: not being able to recall the Master Password and therefore losing access to their RoboForm data altogether. We do ask that users type in their Master Password once every 30 days. Hello Larry, thank you for providing this feedback.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |