How to Best Comply with HIPAA Password Requirements

The HIPAA password requirements state that procedures must be put in place for setting up, amending and securing passwords unless an alternative, equally-effective security measure is implemented. We believe that the best way to comply with the HIPAA password requirements is using two factor authentication.

The HIPAA password requirements can be seen in the Administrative Safeguards of the HIPAA Security Rule. Under the section referring to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must put in place “procedures for creating, changing and safeguarding passwords”.

Specialists Disagree on Best HIPAA Compliance Password Policy

Although all security specialists agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case characters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be amended (if at all) and the best way of securing them.

Whereas some specialist argue the best HIPAA compliance password policy involves amending passwords every 60 or 90 days, other experts say the effort is not necessary. A competent hacker should be able to crack any user-generated password within ten minutes employing a combination of technical, sociological, or subversive methods (i.e. social engineering).

There is more consensus between experts when it comes to securing passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority approve the use of password management tools. Although these tools can also be infiltrated, the software saves passwords in encrypted format, making them unusable by cyber criminals.

HIPAA Password Requirements are ‘Addressable Requirements’

One important point to remember is that HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be delayed to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In relation to the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if a different security measure can be put in place that accomplishes the same purpose as creating, changing and securing passwords, the Covered Entity is in compliance with HIPAA.

Two-factor authentication addresses this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database containing PHI also has to use a PIN code to confirm their identity. As a unique PIN code is issued with each recorded log in, a compromised password alone will not give a hacker access to the secure database.

Two Factor Authentication is Already Implemented by Many Medical Facilities

Two factor authentication is already used by many medical facilities, but not to secure the confidentiality, integrity and security of PHI. Instead it is used by medical centers accepting credit card payments to adhere with the Payment Card Industry Data Security Standard (PCI DSS) and by others to adhere with the DEA’s Electronic Prescription for Controlled Substances Rules.

Healthcare IT experts will be quick to stress that two factor authentication can delay workflows, but recent advances in the software allow for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only sends PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than constant changes of passwords and password management tools. Effectively, Covered bodies never need change a password again.

The only thing Covered Entities have to remember before adapting two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for putting the alternative solution have to be recorded. This will meet the HIPAA requirements for conducting a risk analysis and also satisfy auditors if the Covered Entity is chosen to be reviewed as part of HHS´ HIPAA Audit Program.