Password Management

Overview

All users granted access to Medical Center information resources are provided a user ID and password that is unique to the individual. Passwords must adhere to the guidelines listed in this standard.

Purpose

To ensure the confidentiality of information and compliance with Medical Center Policies.

Scope

This standard applies to all Medical Center employees and customers.

Description

Password Requirements for Standard UVA Health System Network Accounts

  • Password Expiration: 60 Days (5 day advance notice)
  • Password Length: a minimum of 7 characters and contain a combination of letters, numbers, and special characters where allowed.
  • Password Uniqueness: Previous 8 passwords may not be reused.
  • Protected from repeated attempts at guessing by forcing automatic suspension of user access after specified number of excessive attempts

Passwords must be:

  • Individually owned
  • Kept confidential
  • Changed whenever disclosure has occurred and changed at least every 60 days
  • A minimum of 7 characters and contain a combination of letters, numbers, and special characters where allowed (if system does not accommodate 7 characters, the maximum number of characters allowed must be utilized)
  • If requesting a password reset from the Health Information and Technology (HIT) Helpdesk or HIT Security you should be prompted to change the temporary password upon login. You should never keep a temporary password as your password. If you need instructions on how to change a temporary password please contact the HIT Helpdesk at 924-5334.
  • Protected from repeated attempts at guessing by forcing automatic suspension of user access after a specified number of excessive attempts.

 

Passwords must not be:

  • Shared with other users
  • The same as that used in the last 8 previous password changes
  • Easily guessed such as repeating sequences of letters or numbers
  • Names of persons, places, or things that may be associated with the owner
  • Stored in any medium that is susceptible to disclosure or use by others (e.g. Post-It notes, notebooks, etc.)
  • Displayed as part of the authentication entry process

 

Password violations such as the sharing of passwords should be reported immediately via the Computer Security Incident Report.

Owners of Information Systems must monitor password inactivity to determine continued user access.

Supervisors/Managers are responsible for verifying employee’s system access annually via the Supervisor Review Form.

 

Password Requirements for UVA Health System Privileged Administrative Accounts

Individuals who have privileged access that allow administrative rights on UVa Medical Center computers, for the purpose of IT troubleshooting and support, have additional password policy requirements. This standard applies to local system accounts as well. These password requirements apply to both individual and local privilege accounts and must include the following:

Passwords must contain the following:

1)      A minimum of 10 characters

2)      At least one upper case letter

3)      At least one lower case letter

4)      At least one number

5)      At least one symbol (for example: !, *, # )

The HealthIT Security Office strongly recommends the use of passphrases. A passphrase is typically longer than passwords and contains multiple words that create a phrase. Below are some examples of passphrases:

1)      H1t@H0meRun!

2)      1Luv2Pl@yBball!

3)      Re@dingB00K$1sFun

4)      1Park3dTh3C@r

NOTE: Please do not use the passpharses listed above, these are intended as examples only.

Password Requirements for Other Critical Information Systems

SMS (A2K3)

  • Password Expiration: 60 Days (no advance notice)
  • Password Length: 7 - 8 Alphanumeric characters including special characters; 1st character must be alphabetic, not case sensitive.
  • Password Uniqueness: Previous 5 passwords may not be reused.
  • Password Revocation: Access denied after three consecutive unsuccessful logon attempts.
  • Access deleted after 180 days of inactivity.
  • Access reinstatement will require new access request.

TSO, CICS, VIEW (RACF)

  • Password Expiration: 60 Days (7 day advance notice)
  • Password Length:7- 8 Alphanumeric characters including special characters; 1st character must be alphabetic, not case sensitive.
  • Password Uniqueness: Previous 5 passwords may not be reused.
  • Password Revocation: Access denied after five consecutive unsuccessful logon attempts.
  • Access revoked after 90 days of inactivity.
  • Access deleted after 120 days of inactivity.
  • Access reinstatement will require new access request.

PEOPLESOFT

  • Standard PeopleSoft access utilizes the user’s Health System Network/Outlook account.

IDX

  • Password Expiration: 180 Days
  • Password Length: 6 - 32 Alphanumeric characters; no special characters; not case sensitive.
  • Password Uniqueness: Previous passwords may not be reused.
  • Password Revocation: Access denied after 3 consecutive unsuccessful logon attempts. Access reinstatement will require new access request.

Problem Resolution

Employees should call the HIT Help Desk at (434) 924-5334 for password related issues.

Document Supporting Resources