Password disaster in the making

What’s worse: passwords taped to the monitor or a boss who assigns them all?

This gig was for the local hospice organization, which falls under HIPAA because of the patient information it retains. It also maintains a database of donors and family members of the deceased. I started working for the organization last year providing solutions to help the growing office, which has 16 desktops and a small (five-year-old Win2000) server.

I started off updating software and bringing all of the computers up to Win2000 SP4, adding a second anti-virus program (Symantec was not licensed for all of their computers) and anti-malware software. I noticed that some of the troubles stemmed from not having enough CALs (Client Access Licenses) and some very badly managed Active Directory permissions. It seemed like each time I fixed an Active Directory issue, something else would “break.”

In time, I was able to fix the permissions, clean and protect the computers, and get a new DSL modem. The only thing that I was not able to do was get the Director to allow Active Directory to manage the user’s passwords. She personally selected passwords that she knew her staff could remember and that she could remember also; for example Joe David’s username and password were davidj and david, respectively. She did this for each employee — not a single one of them was allowed to choose a password for themselves.

It drove me nuts, but she insisted that she needed to log in to their accounts to check their e-mail and My Documents folder to make sure that they were not saving stuff to their PCs. She was worried about HIPAA compliance, but she wouldn’t change her password policy.

Today, I am free. The new, larger, and more capable contractor now gets to butt heads and fight with her over best practices. I hope for her sake, and the sake of clients and their families and the donors, that the contractor wins those battles.