I've mentioned in previous blogs that BIDMC has contracted for an enterprise wide security assessment to ensure our security projects are aligned with best practices. Over the next few months I'll write several posts about the issues we've reviewed and the evolution of our thinking about security.
Today I'll start with something basic.
What is the right frequency to require passwords changes?
Many security experts and commonly used guidelines suggest a 90 day password expiration frequency.
To understand the common practices of hospitals in Massachusetts, I asked many of my peer CIOs about their password change policies. The answer - some organizations are at 9 months, some are at 6 months, and some are at 3 months. One is at 4.5 months - a compromise between 3 months and 6 months.
Two questions we need to answer before crafting the ideal policy.
1. Does changing passwords frequently actually increase security?
2. What is the impact of frequent password changes on the user experience (especially for smartphone and iPad users)
For question 1 - The benefit of requiring a more frequent change to passwords has been the topic of debate within the IS community for years. While many experts claim shortening the period reduces risk, others argue the opposite because users cannot remember frequently changed passwords and write them on post it notes which they affix to their work area.
Here are three references which suggest that increasing password frequency reduces security.
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.healthcare-informatics.com/blogs/dale/password-expiration-insanity
http://digitaltrustllc.com/?p=49
For question 2 - Frequent password changes can be challenging for users of mobile devices. Generally, something like this happens
You change your password via a desktop application
Your iPhone and iPad try to synch email before you can change the password on them
Your account is locked out for 20 minutes
You try to change your password on your mobile devices but you cannot because of the lock out
You call the IS help desk and they remove the account lock but you spent two hours trying to change the password on all your mobile devices before the account is locked again, calling the help desk several times.
I'm sure there is an ideal way to do this i.e. turn off all the cellular and network connections on your mobile devices and change your password via a desktop application. Then, change them on your mobile devices before reimplementing wireless network connections.
Regardless, doing this every few months will increase help desk support call volume and user frustration.
A side effect of creating a suboptimal user experience is that users will stop using tightly controlled corporate applications and instead access consumer grade technology such as Gmail, Dropbox, and text messaging, increasing risk and ultimately reducing security.
As a next step, we'll ask our multi-stakeholer IS Security and Privacy Committee to review the literature (pro and con) about frequent password changes. They'll evaluate the risks and benefits of various password change frequencies and then we'll select a path forward which hopefully balances the risks of infrequent password changes and too frequent password changes.
Just as I asked about remote access, I welcome your comments about your password expiration frequency policies and experience.