BOSTON, MA – Reflecting what is soon-to-be standard practice at all health care systems across the country, the Information Technology Department at Massachusetts Lieutenant General Hospital (MLGH) requires that anyone accessing the electronic medical record (EMR) have a password that is at least 500-characters long effective today.
“The requirement illustrates our shared concern over patient privacy and HIPAA, especially in our current climate,” explained MLGH information technologist Catherine Spiller, who has been actively entering her passcode for the past 15 minutes. HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. “Eight to 12 characters isn’t enough; 500 characters is the way to go.”
In addition to choosing a 500-character password, Spiller and her IT team also require the password to be as strong as possible by containing the following characters: at least 185 lowercase letters, at least 211 uppercase letters, 1 punctuation, 7-to-9 numbers (no repeats), 3-to-23 underscores, 1-to-6 dashes, 1 hieroglyphic, at least 4 letters of the Greek alphabet, at least 3 emojis, the name of one living grandparent in caps lock, and the trade name of an ACEI inhibitor.
This development is the latest of a series of enhanced security features seen across this country’s healthcare information technology landscape over the past few years. Though the 500-character-long password is new and anticipated to be effective, the recent security enhancements of changing your password every 20 minutes or the computer exploding if you guess your password incorrectly two consecutive times still apply.
“We do not anticipate any impact on the work flow of healthcare professionals,” added Spiller, still typing in her password and hoping she gets it right on the first go.
“That’s my fault,” she laughed, holding down the backspace key for the next 5 minutes. “I totally forgot to capitalize the 83rd H.”
IT also expects to release a fleet of new “extra sticky” keyboards to help facilitate security access.