Reset Your Password

After you enter an email address and security questions on the Security Questions tab of the Update User Profile page, you can reset your password yourself. You can also recover your username if you forget it.

1. On the athenaOne login page, click Forgot password?.
   The Reset Your Password page appears.
2. Username — Enter your username and click Next Step.
   athenaOne sends a security token to the email address associated with your username on the Update User Profile page. You will use this security token to reset your password.
   The security questions that you set up on the Update User Profile page appear, one by one.
3. Answer each security question in the text box provided, clicking Next Step each time.
   Note: If you answer any security question incorrectly more than four times, you must wait 15 minutes before you can try to reset your password again.
4. Do not close the athenaOne login window. Locate the athenaOne email that contains the security token. Copy the token from the password reset email message.
   
5. Security Token — Paste the security token into this field and click Next Step.
6. Create and confirm a new password. Enter the new password in the New Password and Confirm Password fields.
   The login page appears.
7. Click Reset.
   A confirmation appears notifying you that your password was successfully reset.
8. Log in to athenaOne with your username and the new password that you created.

After you enter an email address and security questions on the Security Questions tab of the Update User Profile page, you can reset your password yourself. You can also recover your username if you forget it.

1. On the athenaOne login page, click Forgot password?.
   The Reset Your Password page appears.
2. Click forgot username?.
   The Email field appears.
3. Enter the email address associated with your athenaOne account on the Update User Profile page, and click Next Step.
   A confirmation message appears.
4. Check the email address associated with your athenaOne account and open the new email that contains your athenaOne username.
   • If you don't remember your password, enter your athenaOne username on the Reset Your Password page to start the password reset workflow.
   • If you know your password, click Return to login to display the login page.
     

Note: If you have multiple athenaOne usernames that all use the same email address, the email that you receive contains all your athenaOne usernames. You can select the username for which to reset the password.

You must have user admin access (practice superuser) to unblock a user account. If the user has access to multiple practice IDs, only a superuser with access to the same practice IDs can reset the user's password or unblock the user account.

1. Display the Users page: On the Main Menu, click Settings > User. In the left menu, under Practice Links — Users, click Users.
2. Enter search criteria to find the user.
3. Click Search.
4. Click update next to the username in the list of search results.
   
5. Click the Security tab.
6. Block password reset — Select Unblock Password Reset.
7. Click Save.

You must have user admin access (practice superuser) to unblock a user account. If the user has access to multiple practice IDs, only a superuser with access to the same practice IDs can reset the user's password or unblock the user account.

1. Display the Users page: On the Main Menu, click Settings > User. In the left menu, under Practice Links — Users, click Users.
2. Enter search criteria to find the user.
3. Click Search.
4. Click update next to the username in the list of search results.
   
5. Click the Security tab.
6. Block account — Select Unblock Account.
7. Click Save.

Your password must meet the following criteria:

• Change at least every 90 days.

• Consists of 8 to 72 characters.

• Contains lowercase letters and numbers.

• Cannot be a weak or commonly used password.

• Cannot match any of the last 30 passwords for that account.

• Cannot contain parts of username.

• Cannot contain first name, or last name.

• Accounts lock out after 5 failed login attempts.

To create a unique password that you can remember easily:

1. Pick a phrase such as "I love cookies and ice cream."
2. Use the initial letter of each word in the phrase to create a nonsense string of letters that is not found in a dictionary.
3. Capitalize one of the letters, or add punctuation where it would occur in the phrase.
4. Add an easy-to-remember number or numbers.

We understand that password requirements are a frustrating but necessary step to protecting the information we use on a daily basis. athenahealth password controls include requirements regarding password complexity, storage, and expiration in an effort to balance many factors, including:

• Regulatory compliance obligations that athenahealth and our services are subject to, such as HIPAA and PCI DSS. For example, the HIPAA Security Rule (45 CFR §164.308(a)(5)(i)(D)) requires password management through "procedures for creating, changing, and safeguarding passwords." If athenahealth did not enforce this requirement, a physician's use of athenaOne would not meet the basic HIPAA Security Rule Requirements.
  Note: You are obligated to comply with HIPAA by virtue of your organization's status as a covered entity. Additionally, your contract with athenahealth requires compliance with applicable law.
• Healthcare IT information security standards and accreditations such as HITRUST.
• Commonly accepted information security standards and best practices.
• Information security threat modeling and analysis.
• Cryptographic analysis.
• Human factors and usability analysis.

If a security breach occurred using a non-changed password, you would be responsible for having failed to enforce appropriate password controls to prevent the disclosure of PHI. As your co-sourcing partner, we also view this risk as a significant threat to our business obligations, given the amount of sensitive information that athenahealth stores on all our clients' behalf. Our password controls are strictly enforced and cannot be changed for any client.

In the event of a severe compromise of athenaOne infrastructure resulting in unauthorized access to athenaOne authentication credentials, the combination of non-trivial passwords (enforced by password complexity requirements) and cryptographic storage methods increases the amount of time required for an attacker to compromise any of our clients' original passwords. Password aging requirements provide an additional layer of security by minimizing the window in which stolen and successfully compromised passwords could be used.

Although password complexity and aging impose a burden of entering complex and frequently changing passwords, strategies are available to help create and manage passwords to ensure that they are both strong and accessible. We cannot recommend or endorse any of these solutions, but we offer them for your review and consideration:

• Password managers such as KeePass, 1Password, and LastPass allow users to store and retrieve passwords quickly from an encrypted database. Some users generate completely random and unique site-specific passwords, relying on browser auto-fill and clipboard password management.
• Password generation schemes such as Diceware help users create easier-to-remember passwords that are hard for a computer to guess.

We prompt users 15 days in advance to update their passwords for enhanced security and to prevent unauthorized access. This proactive measure ensures timely password updates without workflow disruption.