Protecting User Accounts Policy
Purpose
Based on mature practices and standards, TherapyAppointment’s policy to protect user accounts represents minimum standards and guidelines for the application user. The policy and standards aim to provide a balance of usability and security, though they are not without practical limits. Account and device security has never been bulletproof. Users should evaluate minimum standards, evaluate risk, and incorporate the additional recommendations as appropriate for their own environment.
Account security standards are important aspects of your risk management process and part of your shared responsibility as a user of the TherapyAppointment application. A poorly chosen or protected password or weak device security may result in unauthorized access and/or exploitation of your client information, patient PHI, and/or TherapyAppointment’s resources. All TherapyAppointment account holders are responsible for taking the appropriate steps, as outlined below, to secure their application passwords, devices, and accounts and take steps to protect the sensitive data in their care.
Scope
This policy applies to all TherapyAppointment users, including business customers and patients who use TherapyAppointment through this affiliation in order to schedule appointments or communicate with clinicians.
Definitions
- Sensitive Information: Data should be classified as sensitive when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk and/or violates any aspect of HIPAA, PCI, or other applicable regulations or standards. This includes data that is considered protected. Data protected by regulatory requirements are defined and enforced by state and federal governing bodies or through contractual obligation to other legal entities. This category is further sub-classified as protected health information (PHI), personally identifiable information (PII), cardholder data, and third-party trade secrets. This data includes data protected by confidentiality agreements or data considered proprietary, which is internally generated data or documents that contain technical or other types of information controlled by a legal entity to safeguard its competitive edge. Proprietary data may be protected under copyright, patent, or trade secret laws.
- Protected Health Information (PHI): any individually identifiable health information that is held, transmitted, or maintained by you (the covered entity) and your business associates, regardless of its form or medium (paper or electronic). This designation applies to any information that is created or received in the treatment process. HIPAA defines 18 specific identifiers and a general catch-all category; any one identifier present is enough to designate information as PHI and protected.
- Personally Identifiable Information (PII): set of data that could be used to distinguish or trace a specific individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
- Cardholder Data: includes any personally identifiable information associated with a cardholder. As defined by the PCI Standard Security Council, all of the following elements are considered cardholder data: the primary account number (PAN), cardholder name, expiration date, service code, magnetic stripe data, pin, and card verification code.
Shared Responsibility
When using a third-party system such as the TherapyAppointment application to manage, store, create, or transmit sensitive information such as PHI, PII, and cardholder data for your organization, you create a relationship, governed by a Business Associate Agreement and a Terms of Service, that is built upon the principle of shared responsibility when it comes to the protection of the data and systems used in that relationship. Each party has a responsibility to protect data and the use of the TherapyAppointment system on their respective ends.
The information below provides ways that you can engage in protecting your sensitive data as a part of your shared responsibility and in your general practices as a Covered Entity under HIPAA.
Policy
1.1 - User Accounts
- Every user that accesses TherapyAppointment in association with your practice must be provisioned with a unique user account that identifies the individual within the application.
- Sharing login credentials and shared generic user accounts are a violation of the Terms of Services (TOS) and Business Associate Agreement (BAA). Each user of the TherapyAppointment system must have separate and unique access credentials.
- Accounts that are reassigned from one user to another within a given role are counted as generic user accounts and a violation of the TherapyAppointment TOS and BAA.
- Customers are required to provide a unique email address to which they have ongoing private access. This email address is used as a means of communication if they fail to respond to other attempts at communication, such as system messages advising of a possible suspension of account privileges.
- Upon termination of a staff member or clinician within the practice, access to that account and all data contained therein must be terminated immediately.
- In the event that emergency access is required to a clinician’s account within the practice, a Practice Owner or other designated individual may be permitted temporary access to facilitate transition of records and to view recent messages from clients. Before such access is granted, the Practice Owner must assert in writing that they (or the corporate entity that they represent) are the legal owners of these records and verify that they are entitled under law to retain access to them.
- The designated individual must also be a subscribed user of TherapyAppointment with an active user account.
1.2 - How to Comply
- Verify that each workforce member has their own account, which is set up under their real identity and linked to the individual’s workforce email account.
- If a clinical or administrative staff member leaves your employment:
- Terminate their access to their account immediately.
- Establish a new account (with a new username and password) for their replacement.
2.1 - Password Strength and Hygiene
- TherapyAppointment requires that your user passwords are composed of at least 12 characters.
- Passwords must contain at least one uppercase letter, one lowercase letter, and one number.
- Passwords should not be based on simple or predictable patterns or values.
- Do not recycle passwords that you have used in the past for TherapyAppointment or any other applications.
- Do not disclose your user password to any other party, including colleagues, Practice Owners, or TherapyAppointment staff.
- Do not use a user password that is already known, or likely to be known, by another party.
- Do not transmit your password in email, text message, or other such communication mediums.
- Do not store unprotected copies of your password in digital or physical form.
- Any application user who suspects that his/her password may have been compromised must report the incident to support@therapyappointment.com and change their passwords immediately.
- Clinical customers are permitted to reset forgotten passwords using the password reset functionality built into the login form or by contacting TherapyAppointment customer support.
- Clients can reset their own passwords using the functionality within the application.
- If needed, providers can also facilitate a client password change and/or deny their clients access to that account.
- If multi-factor authentication is not enforced for the practice and you accept payment via credit card, you must require all workforce members to change their application password at least once every 90 days.
- Note: This is a requirement for organizations required to comply with PCI 8.3.10.1.
2.2 - How to Comply
- Never share or publish your password. Never disclose your password to any party, known or unknown.
- To reset a password in the application, select the client and then select “reset password” to prompt the password change.
- Choose a password you have not used before (for any purpose) to protect your TherapyAppointment account.
- The TherapyAppointment application enforces a restriction that prohibits the use of any password used in the previous 4 generations for all users.
- Avoid using predictable patterns as the basis for your password. Do not base your password directly on a word, phrases, proper name, date, or sequence of characters appearing on a keyboard or keypad.
- Avoid storing physical copies of your password, and always protect physical copies as though they are PHI.
- Always protect electronic copies of your password as though they are PHI or other protected information.
- Advise patients about the risks of sharing accounts where PHI is sent/received and the need to select strong passwords.
2.3 - Recommendations
- Use a tool, like a password manager, that helps you generate complex and unique passwords for every site or application with which you hold a user account.
- Only use password managers that protect your secrets with strong encryption and additional layers of security.
- Let the password management tool do the work and generate the strongest password the site will allow.
- Turn off the default “save password” features of your web browser, e.g., Chrome or Microsoft Edge.
- If you choose to create your own passwords, remember that length is one of the best predictors of a strong password. Choose passwords consisting of 12 or more characters.
- Word-based passphrases can provide good protection if they are made up of random and unrelated words. A passphrase consisting of 5 or more words is desirable.
- Change your password periodically and according to organizational requirements but not so often that you are tempted to select a predictable and weak password. Changing passwords only when you think they may have been compromised may be acceptable for strong, unique passwords that aren’t used across multiple applications.
- Maintain the security of your account by changing your password in response to security-related incidents, including:
- Physical intrusion or theft
- Malware infections
- Unauthorized access to your email account or other sensitive accounts
- Detection of hacking related activity
- Accidental disclosures
3.1 Authentication Security
- Encourage the use of multi-factor authentication for your organization.
- Regularly review the log of login events for your account to identify anomalies or suspicious activity.
3.2 How to Comply
- Require the use of multi-factor authentication for the TherapyAppointment application in your Settings.
- Regularly review your login history within the TherapyAppointment application and establish criteria for reporting within your organization when activity is anomalous.
3.3 Recommendations
- Require the use of multi-factor authentication for all applications used within the organization, whenever possible.
4.1 Protect Your Environment
- Maintain the security and compliance of your computing environment. These tasks are the responsibility of each business customer or other user as are incidents caused by weaknesses in your practice’s computing environment and processes.
- Do not use TherapyAppointment from devices that are suspected to be infected or hacked. Neither should you access your account from a device that is missing critical software and security updates within the operating system or browser environment.
- Do not use untrusted wifi networks when accessing the TherapyAppointment application or any data that may contain PHI or other types of personal information. Use your phone’s hotspot if you must access data in a public place, but avoid this entirely if at all possible.
4.2 How to Comply
- Regularly install software updates for your computer operating system, web browser, and other applications to ensure that you have the latest security patches.
- Turn on a time-based lock on your device.
- Set all workstations to lock within 10 minutes of inactivity.
- Set all mobile devices to lock within 5 minutes of inactivity.
- Contact customer support to report if you suspect your password or system might have been compromised.
- Run a regular malware scan on your computer, using a third-party scanner if needed.
- Seek professional guidance to recover devices that have been infected with malware or compromised successfully by hackers.
- Enforce a lock-out for workforce members in your practice who have not logged into the application for 90+ days in Settings.
4.3 Recommendations
- Configure the TherapyAppointment application to log all users for your organization out of the application after a defined period of inactivity in your “Settings.”
- Note: The TherapyAppointment application will automatically log you out automatically each day at the expiration of your active session.
- Limit how many devices or distinct browsers a single user may be logged in with at the same time in Settings.
5.1 Additional Security Guidance for Covered Entities
- Covered Entities should review their own responsibilities under HIPAA/HITECH and related rules. The compliance activities and safeguards undertaken by TherapyAppointment do not alleviate a customer’s own responsibilities.
- Protect your DNS domains associated with your practice.
- Choose a good domain registrar company (one that offers 2FA, DNS management, and technical support).
- Enable two-factor authentication.
- Enable domain locking.
- Enable WHOIS protection.
- Use a strong password.
- Keep your domain contact details updated.
- Be suspicious of any emails requesting domain registrar details.
- Keep domain hosting and domain registration on separate accounts at separate companies.
- Secure your network connections. Even though TherapyAppointment encrypts its communication with your computer, open wireless networks expose your device to malware and hacking related threats.
- Make sure that your wireless router uses WPA2 encryption and a strong password in order to allow access.
- Do not allow guest access to your network, except through a dedicated Guest network that is isolated from your work environment.
- Be cautious in deploying “Internet of Things” devices on your home or office networks. These devices are becoming frequent entry points for attacking users.
- Restrict workforce members in your organization from connecting to untrusted networks.
- Always adjust guidance based on the threats and risks that concern your practice. Twelve-character passwords may not be long enough. Six months might be too long to go without changing your password for certain high-risk accounts.