Another in our series of #TIPS intended to keep your data secure and help you manage fraud, embezzlement, waste, and abuse in your practice.
“Passwords — ‘Use them like a toothbrush. Change them often and don’t share them with friends.”**
Clifford Stoll – American astronomer, author and teacher.
**Printed in the Proceedings of the Unix Security II Workshop, August 1990, Portland, Oregon
Password Cyber Hygiene
It takes dozens of passwords to run a practice. You use them to:
- Login to your computer
- Login to your Practice Software
- Check Email
- Order supplies
- Check insurance claims
- Do Online Banking
- ..and more.
General Guidelines for Passwords
A “good” password is:
- private: used by one person – never shared
- secret: not recorded in Word or Text file – or written on a piece of paper pinned to the monitor
- at least 8 characters long, using upper case letters, lower case letters, digits and symbols
- not a common phrase – “tooth1234” is not a secure password.
At a minimum:
- ensure that all employees have a unique username and password.
- make sure User Access control is properly defined and configured in your software.
- the practice owner (and IT company) should be the only persons with “administrative” access.
- create a “computer use policy” and “business code of conduct policy”
Passwords in your Practice Management Software
All currently supported practice management software programs have some form of “security” and “access control”.
Security is what keeps unauthorized people out of your software.
Access Control places restrictions on what people can and cannot do when using the software. For example; access control can prevent a chairside dental assistant from accessing your financial or audit-log reports.
“If you have never read the section on security and access control in your practice management software manual; do your dental practice a favor and read it today.”
William Hiltz BSc MBA CET
Ensure that your practice management software is configured for employee to have their own unique username and password.
NEVER set up usernames like FRONT, or OP1 that may be shared based on job function.
Every employee must have their own unique username. When an employee leaves the practice, set their username to inactive in your software.
Ensure employees use reasonably complex passwords. A password such as “tooth” or “smile” is a poor choice.
Since employees may be frequently log in and out of various computer stations during the day, I recommend they use a password that is easy to enter on the keyboard. (efficient and fast).
This means, a password like @1?9@HKJdBojh%&* is a poor choice for accessing your practice management software. It does makes for a good email password though. 😊 An easy to guess passwords like 1234 is a poor choice as well.
Instruct employees to NEVER share passwords with anyone, and passwords should be changed every 6 months.
Ensure that each username is configured for access control. Your software probably already has a few predefined access control levels for different job functions, such as: “front desk”, “chairside”, “coordinator”, “manager” and so on.
The basic principle is that employees should only be permitted to access the software functions required for them to do their job – and no more. Again, the dentist or practice owner should be the only person with “administrator” level access in the Practice Management Software.
If you have questions about usernames, passwords and access control for your software, the first step is to read the relevant section in the software manual – it will help. If you need more help, contact your software vendor. They can set things up properly – after all, they designed the software you are using.
In conjunction with this, you’ll should to create and implement a “computer use policy” and “business code of conduct”.
I have provided a couple of examples you can download to use as a starting point. (they are in PDF format)
PLEASE, don’t copy and paste the documents into your practice manual.
These documents should be thoughtfully tailored for your practice.
If you have questions, please feel free to contact me.