'Implementing HIPAA,' redefined

Large urban teaching hospital is in the process of implementing HIPAA security regulations, and this sysadmin pilot fish is hired to help things along.

"One of the things HIPAA requires is that each user have a separate account and password, in order to be able to provide a complete audit trail," says fish. "Another is that these passwords be sufficiently difficult to guess that they aren't easy to crack, and that they be changed frequently.

"But in one of the key clinical areas of the hospital, not only do all users share the same account, but the password they share has not been changed for years."

The unit's director doesn't want to be bothered with password resets, and adamantly refuses to change the password policy -- despite the strong institutional support for HIPAA and the financial disincentives for non-compliance.

Fish reports the problem to his boss, who suggests that the director might agree to at least change the password every time there's a personnel change. That sounds reasonable -- but the director still resists.

OK, fish proposes, can we at least to change the password from "abc123" to something harder to guess? Fish even finds a magazine article listing the ten most frequently used passwords. At the top: abc123.

Director counters that only technical people read that magazine, and most people wouldn't know that's an easy password to guess.

With the HIPAA deadline getting nearer, fish is getting nervous. Although he has carefully documented all his attempts to get full compliance, he still feels like he's standing too close to what will happen when the auditors start checking for compliance.

In a last-ditch effort, he finds another large ad in a mainstream publication that shows someone holding up an automobile license plate. The number on the plate: ABC 123.

"I was told not to show the ad to the director, as it might just upset her," fish says. "The system went live with HIPAA, still using the one very-long-in-the-tooth-and-easy-to-guess password.

"I decided to return to my earlier career as a consultant. I figured otherwise it would have been my system that hadn't met requirements for password policies.

"I never did find out what the final outcome was -- and resisted the temptation to try dialing into the system."

Feed the Shark! Send me your true tale of IT life at sharky@computerworld.com. You'll score a sharp Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives.

Get your daily dose of out-takes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon