Before discussing how to best comply with the HIPAA password requirements it may be useful to first explain what the password requirements are because they are distributed among several areas of the HIPAA Security Rule.
The best place to start is Security Standard §164.312(d) of the Technical Safeguards, which stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”. While this is often assumed to mean Covered Entities and Business Associates must use a combination of usernames and passwords to authenticate a user´s identity, that´s not always the case.
In 2005, the Department of Health and Human Services (HHS) published a Guide to the Technical Safeguards of the Security Rule in which it suggests three ways Covered Entities and Business Associates can comply with this Security Standard:
- By implementing an authentication method that requires something only known to the individual (i.e., a password or PIN),
- By implementing an authentication method that requires something the individual possesses (i.e., a smart card or key), or
- By implementing an authentication method that requires something unique to the individual (i.e., a fingerprint or facial
The guidance implies passwords are not necessarily a requirement of HIPAA. However, usernames are. Under the Technical Safeguard relating to access controls (§164.312(a)) Covered Entities are required to assign a unique name and/or number for identifying and tracking user activity. Thereafter, in the Administrative Safeguards (§164.308(5)), HIPAA requires Covered Entities to implement procedures for creating, changing, and safeguarding passwords.
However, the implementation specification in the Administrative Safeguards is an “addressable” one – meaning that a Covered Entity must either (a) implement the specification, (b) implement an alternate measure that achieves the same purpose, or (c) not implement the specification or an alternative if it can be proven the specification is unreasonable or inappropriate. Consequently, passwords are not a requirement of HIPAA if an alternate method of authentication is used.
Most Covered Entities and Business Associates Use Passwords
Despite the choice of authentication methods available to Covered Entities and Business Associates, most use passwords. This is due to authentication methods such as smart cards and facial recognition software being comparatively expensive and difficult to manage. Furthermore, passwords are usually the default authentication method on computer systems, EHRs, and other systems maintaining ePHI, and it would take time to convert systems to a different method.
Therefore, Covered Entities and Business Associates using passwords have to comply with the HIPAA password requirements. However, beyond the Technical and Administrative Safeguards mentioned above, the text of HIPAA sheds no further light on what the requirements are or how best to comply with them. Consequently, it falls on individual Covered Entities and Business Associates to define their own HIPAA password requirements after conducting and documenting a risk assessment.
The risk assessment should reveal that weak passwords are easy to crack by cybercriminals using brute force attacks, that forced password changes are no longer recommended by NIST, and that passwords are best safeguarded in encrypted format. These three factors should be the basis of HIPAA compliance password policies – along with rules prohibiting the sharing of passwords, reusing passwords on other accounts, and writing down passwords where they can be found.
What Should HIPAA Compliance Password Policies Consist of?
A best practice for HIPAA compliance password policies is to follow the Digital Identity Guidelines published by the National Institute of Standards and Technology (NIST). The latest guidelines can be found in NIST Special Publication 800-63B and include:
- Enforce a minimum password length of 8 characters.
- Block the use of commonly used weak passwords and dictionary words.
- Require the use of complex passwords mixing upper- and lower-case letters, numbers, and special characters.
- Allow the use of long passphrases to eliminate password complexity requirements without compromising security.
- Avoid the use of password hints as the answers to these can often be found on social media, thus making passwords less secure.
- Enable multi-factor authentication for all accounts to eliminate the need to regularly change passwords.
To enforce HIPAA compliance password policies – and best comply with the HIPAA password requirements – Covered Entities and Business Associates should implement a password manager that supports HIPAA compliance through security audits, end-to-end encryption, and custom management roles.
HIPAA-compliant password managers can be configured to empower users to create passwords that comply with the password policy, alert users to weak, reused, or compromised passwords, and enforce multi-factor authentication – either for all accounts or for those maintaining ePHI or other sensitive information.
HIPAA Password Requirements – FAQs
Is it possible not to use passwords and still comply with HIPAA?
Covered Entities must comply with the requirement to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”. Username and password combinations are the easiest and least expensive way to do this, but if the Covered Entity implements an alternate authentication method which is just as effective as username and password combinations and which can identify and track user activity, then it is possible not to use passwords and still comply with HIPAA.
NIST recommends complex passwords, no dictionary words, and passphrases to eliminate complexity. As passphrases do not include special characters, but do include dictionary words, which is right?
Cybersecurity experts believe long passphrases are harder to crack using brute force attacks than shorter complex passwords. However, if users are susceptible to phishing attacks, the harder a complex password is to remember, the less likely users are to inadvertently reveal it. Covered Entities should conduct a risk assessment to establish the best format to include in a HIPAA compliance password policy; and, if the solution is complex passwords, implement a password manager with credential autofill capabilities so users do not have to remember passwords.
Why does NIST no longer recommend forced password changes?
NIST revised its recommendations about forced passwords after finding users were changing their passwords by just one character to ensure they could still remember them – for example, “hospital001” to “hospital002”. This was considered to be an unsafe practice because, if the original password had been compromised, there was a strong likelihood the new one would be as well.
Does HIPAA require multi-factor authentication?
Multi-factor authentication (MFA) is an option for complying with the Technical Safeguards of the Security Rule; but, as HIPAA is technology-neutral, it is not a requirement. Covered Entities can choose to implement MFA as a standalone authentication method – provided it complies with other Security Standards – or implement MFA to strengthen defenses against password hacks and phishing.
How is it possible to tell if a password is weak and easy to crack?
There are multiple tools available on the Internet with which Covered Entities can check the strength of passwords and passphrases. Some, such as the Bitwarden password strength testing tool, offer suggestions on how to make a weak password stronger. Alternatively, the site offers a password generator tool Covered Entities can configure to generate passwords that comply with their HIPAA password policies.