Authorizing password changes in a health science center

[David Grisham <DGrisham () SALUD UNM EDU>]

The hospital has for a long time required a facsimile of the identification badge each time a password change is 
requested.  It is a new century end programs like Photoshop presented a new risk to that process.  We do not want to 
ask for personal information on any email or phone call request.  (Our staff could be around others who might take 
advantage of that information, if overheard)
We have added password challenge questions for half of our systems.  The patient systems cannot be placed into a web 
page challenge at this time.  What do your account groups do to verify the identity of some one needing a password 
change to systems with confidential information?

 
 
Cheers. -grish
David D. Grisham, Ph.D., CISM, CHS, CHSP
Manager, IT Security, UNM Hospitals, Information Technology
1650 University Blvd, S.500, Albuquerque, NM 87102
Ph: (505) 272-5657 FAX 272-3305
Work email: dgrisham () salud unm edu 
Adjunct Faculty, Computer Science, UNM
Academic & personal email: dave () unm edu