Should I provide a list of my usernames, passwords and websites I visit?
Imagine you receive an email asking you to please share your usernames, passwords and sites you frequently visit. The email includes a list that appears to be from a workforce member in your organization. Do you:
- Provide the information it might be necessary for documentation and inventory purposes
- Ignore the email it was probably intended for someone else in your organization
- Immediately inform a member of your information technology or management team
- None of the above
Before we answer the question, let's take a look at what the law states.
Under the HIPAA Security Rule, Unique User Identification requires a covered entity to "assign a unique name and/or number for identifying and tracking user identity;" however, it does not suggest tracking passwords.
Password Management is an addressable implementation specification that requires covered entities to address and implement "procedures for creating, changing, and safeguarding passwords." According to guidance provided by HHS there are questions covered entities should consider including:
- Are there policies in place that prevent workforce members from sharing passwords with others?
- Is the workforce advised to commit their passwords to memory?
- Are common sense precautions taken, such as not writing passwords down and leaving them in areas that are visible or accessible to others?
So should you provide the information?
If you receive an email asking you to provide a list of your usernames, passwords and websites you visit, you should immediately inform a member of your information technology or management team. Requests such of these may be an attempt by a cybercriminal to access individually identifiable information and/or protected health information ultimately leading to breach.
Whatever you do, do not share your passwords with anyone! While it is acceptable to track user activity based on your unique user identification, there should never be a reason to provide your password(s) to anyone within your organization.
You should ensure your password is confidential, and you should know how to properly safeguard it. If you have any reason to believe that someone knows your password, change it immediately.