Whether users are required to change their password during their first login
Things to Consider to Help Answer the Question:
Consider whether your practice's awareness and training educates its workforce about:
- How to select a password of suitable strength
- How to change a password
- The frequency with which a password should be changed
- The importance of not divulging or sharing passwords with others
- How to safeguard a password.
Possible Threats and Vulnerabilities:
Your practice may not be able to safeguard its ePHI if its workforce is not aware does not have policies and procedures explaining how to create, change, and protect passwords and include password management as part of its awareness and training programs.
Some potential impacts include:
- Unauthorized or inappropriate access to ePHI can compromise the confidentiality, integrity, and availability of your practice's ePHI.
- Unauthorized disclosure, loss, or theft of ePHI can lead to medical identity theft.
- Accurate ePHI may not be available when needed, which can adversely impact your healthcare professionals' ability to diagnose and treat their patients.
Examples of Safeguards:
Some potential safeguards to use against possible threats/vulnerabilities. NOTE: The safeguards you may choose will depend on the degree of risk (likelihood) and the potential harm that the threat/vulnerability poses to you and the individuals who are the subjects of the ePHI.
Procedures for creating, changing, and safeguarding passwords.
[45 CFR �164.308(a)(5)(ii)(D)]
Develop, document, and disseminate to workforce members an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, the expected coordination among organizational entities, and compliance requirements. This policy should include procedures to facilitate its implementation and the associated access controls.
[NIST SP 800-53 AC-1]
Develop, document, and disseminate to workforce members an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
[NIST SP 800-53 IA-1]
In order to be considered compliant, all accounts that have never been logged into must have their passwords changed during the first login
| Target | Silect.Security.Conformance.Computer |
| Parent Monitor | Silect.Security.Conformance.Summary.Aggregate.Configuration |
| Category | ConfigurationHealth |
| Enabled | True |
| Alert Generate | False |
| Alert Auto Resolve | False |
| Monitor Type | Silect.Security.Conformance.Strings.Are.Equal |
| Remotable | True |
| Accessibility | Public |
| RunAs | Default |
Home<UnitMonitor ID="Silect.Security.Conformance.Monitor.PasswordMustBeChangedAtFirstLogin" Accessibility="Public" Enabled="true" Target="Silect.Security.Conformance.Computer" ParentMonitorID="Silect.Security.Conformance.Summary.Aggregate.Configuration" Remotable="true" Priority="Normal" TypeID="Silect.Security.Conformance.Strings.Are.Equal" ConfirmDelivery="false">
<Category>ConfigurationHealth</Category>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="StringsAreEqual" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="StringsAreNotEqual" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<StringOne>$Target/Property[Type="Silect.Security.Conformance.Computer"]/PasswordMustBeChangedAtFirstLoginCompliant$</StringOne>
<StringTwo>True</StringTwo>
</Configuration>
</UnitMonitor>