HIPAA requires covered entities to implement robust password requirements, including minimum length, complexity, and periodic changes, to ensure the security and protection of sensitive health information, mitigate the risk of unauthorized access, and comply with HIPAA’s standards for the safeguarding of electronic protected health information (ePHI).
What are the HIPAA Password Requirements?
HIPAA requires an authentication method to be implemented to prevent unauthorized individuals from gaining access to electronic protected health information (ePHI) and passwords are the easiest authentication method to use. The cost and difficulties of using alternative methods to passwords means most healthcare organizations will remain reliant on passwords for authentication for the foreseeable future.
The HIPAA password requirements are detailed in the administrative safeguards of the HIPAA Security Rule, although they only consist of a few words.
The HIPAA Security Rule – 45 CFR § 164.308 a(5)(d) – refers to “Password management.” This is an addressable rather than a required safeguard that calls for “Procedures for creating, changing, and safeguarding passwords.”
It is important to explain the distinction between ‘addressable’ and ‘required’ in the HIPAA legislation. Required naturally means HIPAA-covered entities must comply with the standard. Addressable means the standard must be addressed but cannot be ignored. That means that passwords must be used to secure accounts unless an alternative measure is implemented that provides an equivalent level of protection. The use of biometric authentication such as fingerprints would therefore serve as a HIPAA-compliant alternative to passwords.
The decision whether to use passwords or an alternative method for securing accounts should be guided by a risk analysis. Whatever decision is taken, it should be documented along with the rationale behind the decision.
Implementing a HIPAA-Compliant Password Policy
The HIPAA password requirements require covered entities and their business associates to develop and implement a password policy. To comply with the password requirements of the HIPAA Security Rule, a HIPAA password policy must cover the creation of passwords, password changes, and safeguarding passwords.
Password Creation and Management
The HIPAA password requirements do not include specifics about password length and complexity. That is because best practices change over time and specific technical requirements would likely require regular legislative updates. Instead, HIPAA best practices for passwords should be followed.
Recognised security practices should be followed, such as those provided by the National Institute of Standards and Technology (NIST) in its special publications. NIST password guidance is included in its Digital Identity Guidelines – Authentication and Lifecycle Management Special Publication (800-63B). A HIPAA password policy should be based on the latest recommendations from NIST.
General advice is to use a minimum of 8 characters to make passwords less susceptible to brute force tactics, and to use a combination of characters, including special characters. Dictionary words should be avoided as should commonly used weak passwords – Qwerty123! – for example.
This makes passwords much harder to guess, but also much harder to remember. As a result, users tend to create passwords in a predictable way. That means that even if the use of complex passwords is enforced, the passwords may not be particularly strong.
The latest advice is therefore not to enforce the use of special characters but to allow them to be used. Password length should be increased, and users encouraged to use passphrases rather than passwords – Strings of preferably unrelated words. NIST recommends increasing the maximum password/passphrase length to 64 characters.
NIST no longer recommends enforcing password changes. “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future,” explains NIST. “When those changes do occur, they often select a secret that is similar to their old, memorized secret by applying a set of common transformations such as increasing a number in the password.”
Once a HIPAA password policy has been developed, it should be enforced and employees should be trained on password security and password cybersecurity best practices, such as always creating unique passwords, never reusing or recycling passwords, and be instructed on how to create strong passwords.
HIPAA Password Safeguards
The HIPAA password requirements for password safeguards are not specified, so these too must follow cybersecurity best practices. Passwords should never be stored in plaintext and should be encrypted and preferably also salted. This will make it much harder for the encryption to be cracked if password lists are obtained by unauthorized individuals.
It is now widely accepted that multi-factor authentication should be implemented due to the risk of passwords being compromised. It does not matter how complex a password is, if it is disclosed in a phishing attack it will offer no protection. Multifactor authentication should prevent compromised passwords from being used to gain access to accounts and ePHI.
Consider Using a HIPAA-Compliant Password Manager
Since healthcare employees are likely to have to have to create multiple passwords or passphrases, password managers should be considered. A password manager is not only used to store multiple passwords, but also other sensitive information such as credit card numbers, identity information, and sensitive notes.
Password managers store this sensitive data in a secure vault that is protected with a master password. A password manager allows employees to securely store all of their complex passwords; however, a policy should be developed covering master password creation. Security is only as good as the weakest link, so it is essential for the master password for users’ password vaults to be strong and difficult to guess.
When selecting a password manager for healthcare use, security is a major consideration. While password managers do not store ePHI, they store credentials that can be used to access ePHI. A password manager should therefore have end-to-end encryption and security controls that meet the minimum standards of the HIPAA Security Rule.