HIPAA is not privacy

Many people in the US associate HIPAA with the rules required to protect medical data. It actually is a lot more than that, but the HIPAA laws do require some minimal standards for medical providers.

I recently came across an example of where HIPAA is ineffective. The medical providers are required to protect your data, but they are not required to allow you to protect your data!

I have vision insurance through a company called VSP (www.vsp.com). To set up an account I needed to create a user name and password. So, I created a great password and was promptly told I could not use is because it contained “special characters”. That isn’t a smart approach to security, but I know I can overcome these restrictions by using a long password. I decided to use the password “VSP Security really sucks”. The password was rejected, not because their security does not suck, but because I can’t have spaces in the password. “vspsecurityisstupid” was a perfectly acceptable password, but I had to change it because I just posted it on a blog ?

Sometimes you really have to take security into your own hands. If you can’t use special characters then is becomes very important to use a very long password.

Next time I’ll write about a popular social networking site with stupid password requirements.

There is a reason that some sites don’t allow special characters. It requires more security work. The special characters can be security vulnerability for people who do not know how to use databases securely. More on that another time.

Randy Abrams

Director of Technical Education

Author , ESET

  • Randy;

    VSP agrees that the ability to create a strong password is fundamental to providing a secure environment, and appreciate your comment regarding our site (www.vsp.com). We recognized this deficiency recently ourselves, and are implementing changes later this month to address this issue.

    Kyle Kelt
    Director, IT
    VSP

Follow us

Copyright © 2016 ESET, All Rights Reserved.