HIPAA Password Requirements

HIPAA sets out guidelines for creating, changing, and protecting passwords; however, if an organisation devises and equally protective security measure as an alternative to passwords, they may use that method instead, providing the rationale behind that decision is documented and is backed up by a risk analysis.

The guidelines were established as part of the administrative safeguards of the HIPAA Security Rule. They stipulate, under the section on Security Awareness and Training, that covered entities (CEs) must have comprehensive policies and procedures for creating, storing and changing passwords.

Complying with HIPAA Policies

There is much disagreement between those in the security sector regarding HIPAA best practices for passwords. While it has been established that passwords should be a minimum of 8 characters, include upper and lower case letters, numbers, and special characters, this practice has been challenged in recent years, as has the practice of enforcing changes to passwords regularly.

While it is true that an 8-10 string of randomly generated letters, numbers and symbols is hard to guess, those passwords are also hard to remember. The policies  increases the likelihood that users will write down their passwords. The National Institute of Standards and Technology (NIST) now recommends the use of passphrases – Much longer passwords consisting of a phrase that is both complex and easy to remember.

Some argue that passwords should be changed every sixty to ninety days to minimize the potential for brute force attacks succeeding. The longer a password is in use, the more time a hacker has to guess the password. However, recent research suggests that, in reality, forcing users to change their passwords actually decreases security as it also encourages users to write down passwords or circumvent password policies – Changing a previous password by adding an exclamation mark or number to the end.

All covered entities should refer to the latest NIST guidelines for passwords and should set their password policies accordingly.

There is less discrepancy regarding the safeguarding of passwords. Passwords should not be stored in cleartext. They should be salted and encrypted. This means that should hackers gain access to the systems containing stored passwords, they will not be able to be read.

Passwords: “Addressable Requirements”

HIPAA legislation has been heavily criticized by CEs and business associates for its confusing and often unclear terminology. For example, under the HIPAA Security Rule, passwords are designated as “addressable” requirements. This does not mean they are optional and thus can be ignored. Passwords are created to protect data, and HIPAA legislation says that they must “limit unnecessary or inappropriate access to and disclosure of Protected Health Information” (PHI). Anything that achieves the same goal is thus acceptable.

If a CE finds an alternative solution to using passwords that provides an equivalent or greater level of protection, it can be used in place of passwords – Fingerprint scanners for instance.

Multi-Factor Authentication

Even strong passwords can be guessed, and by using brute force tactics – repeated automated guesses – hackers can crack passwords if they have enough time. Many users also share passwords across multiple platforms and reuse old passwords. In such cases, a breach of a social media platform could give a hacker the password to a healthcare system.

To improve the security of passwords, an additional security control should be implemented: Multi-factor authentication. Multi-factor authentication combines a password with another factor that is either known to an individual or possessed by them. This could involve the use of tokens on specific devices that are regularly used to login to a system. When a previously unused device attempts to login, or an attempt to login is made from a new location, a second method of authentication must be provided before access to the account is granted. For example, a PIN could be sent to a mobile device that must be entered before access is granted.

Multi-factor authentication is often used to protect financial accounts, in line with the Payment Card Industry Data Security Standard (PCI DSS) and the DEA’s Electronic Prescription for Controlled Substances Rules. However, multi-factor authentication has not been adopted by many healthcare organizations for accessing systems that contain ePHI, such as email accounts.

One of the main reasons that many healthcare providers are reluctant to use multi-factor authentication is because it can impede workflows. However, recent advances in password managers such as Bitwarden remove many of these impediments to workflows.

There’s a fair argument to be made that multi-factor authentication is better that forcing users to frequently change passwords. It is more user-friendly, as the user will only ever have to remember one password.  It is also an important security measure to help reduce the risk of phishing. Phishing attacks are commonplace. All it takes is for an employee to respond to a phishing email for their email credentials to be obtained by hackers. With multi-factor authentication in place, if a hacker obtains a user’s password via a phishing attack or other means, without the second authentication factor, access to that account cannot be gained. Multi-factor authentication is not infallible, but it does greatly increase security.