According to the HIPAA password requirements, there must be procedures in place for creating, changing and safeguarding passwords except when there’s an alternative security measure that is put in place which is equally effective. Information on HIPAA password requirements is mentioned in the Administrative Safeguards of the HIPAA Security Rule under the Security Awareness and Training.
The best way to comply with the HIPAA password requirements is by means of two-factor authentication.
It is essential for strong passwords to be set to prevent them from being guessed and to reduce the potential for brute force attacks to succeed. Strong passwords include numbers, a combination of upper and lower case letters, and special characters. The longer the password, the more secure it is as the harder it is to guess. However, there is considerable debate surrounding password policies to meet HIPAA requirements.
One aspect of passwords that is something of a hot topic is whether it is better to make passwords complex by using random combinations of digits, letters, and symbols. While this certainly makes it harder for the passwords to be guessed, it also makes it much harder for users to remember them. That means users are more likely to write their passwords down so that they can remember them, which is far from secure. HIPAA covered entities should follow the advice of NIST when it comes to creating password policies. Currently, NIST believes it better to use long passphrases rather than 8 digit random strings of digits, letters, and symbols. Not only is it harder for a 16-digit (or more) passphrase to be guessed, it is also much easier for users to remember.
Some experts recommend making users change their passwords every 60 or 90 days, but this may be counterproductive as it similarly creates problems for users. What is vitally important is to make sure that commonly used weak passwords are not used and prevent the use of dictionary words which are susceptible to brute force attacks.
A HIPAA password policy is an addressable standard, not a required standard. That does not mean this aspect of HIPAA is optional. Addressable means flexibility is provided as to how the requirement can be met. There are alternatives available to accomplish the purpose of a password. The purpose of a password is to make an account or system more secure by preventing unauthorized access. if a covered entity can implement an alternative measure to achieve that purpose, which offers the same or a greater level of protection, it is perfectly acceptable to use that method (or methods) in place of passwords. For instance, fingerprint controls, retina scans and so forth. Covered entities need to remember to document any alternative solutions they implement and the reasoning behind their use in place of an addressable element of HIPAA.
There are also methods of securing accounts that should be considered in addition to passwords, of which two-factor authentication is one of the most important. A person using a username and password to log into a database also needs to enter a PIN code sent via SMS or push notification to confirm their identity. This system makes it harder for an unauthorized individual to gain access to an account if a password is guessed or is otherwise obtained. It should be noted that two-factor authentication is not infallible, although it does significantly improve security, and is an important additional safeguard to prevent phishing attacks from resulting in unauthorized account access.
Many medical facilities already use two factor authentication for accepting credit card payments. This is to comply with the DEA’s Electronic Prescription for Controlled Substances Rules or the Payment Card Industry Data Security Standard. Although some healthcare professionals say that the two factor authentication slows down workflow, it is still a far easier solution for complying with the HIPAA Security Rule and is more effective than requiring individuals to frequently change passwords.