HIPAA Password Requirements

HIPAA sets out guidelines for creating, changing, and protecting passwords. However, if an organisation devises and equally protective security measure as an alternative to passwords, they may be able to use those instead. In fact, a recent development – two-factor authentication – may actually be the best way to protect private health information.

The guidelines were established as part of the Administrative Safeguards of the HIPAA Security Rule. It stipulates, under the section on Security Awareness and Training, that covered entities (CEs) must have comprehensive procedures for creating, storing and changing passwords.

Complying to HIPAA Policy

There is much disagreement between those in the security sector regarding HIPAA best practice. All agree that passwords should be long, include special characters and have a variety of numbers and letters; the disagreement lies in the frequency at which passwords are changed.

Some argue that passwords should be changed every sixty to ninety days to minimize the chance that a password will be hacked. However, others argue that if a user-generated password were to be hacked, it would be accomplished within ten minutes. This would be achieved using both technical and social knowledge. Additionally, if passwords are frequently changed, they are more likely to be written down and lost to a malicious third party.

There is less discrepancy regarding the safeguarding of passwords. Most covered entities (CEs) will use password management tools to do this. As they are not immune to hackers, passwords are saved in an encrypted format. This means that, in the event of a hack, passwords cannot be read by the hackers.

Passwords: “Addressable Requirements”

HIPAA Legislation has been heavily criticized by CEs and their business associates for its confusing and often unclear terminology. For example, under the HIPAA Security Rule, passwords are designated as “addressable” requirements. This does not mean they are optional and thus can be ignored. Rather, it means that if a CE finds an alternative solution to using passwords that provides equal protection they can be used instead.

Passwords were created to protect data, and HIPAA legislation says that they must “limit unnecessary or inappropriate access to and disclosure of Protected Health Information” (PHI). Anything that achieves the same goal is thus acceptable.

Two-Factor Authentication

Two-factor authentication provides a perfect alternative to passwords. When a person tries to log onto a server, they receive a message containing a unique PIN code. This PIN is generated at each login attempt and confirms the identity of those trying to access a database containing PHI.

In fact, two-factor authentication is already widely used, including in the healthcare sector. However, it is not usually used to protect PHI – instead, it is used to protect credit card details. This is in line with the Payment Card Industry Data Security Standard (PCI DSS) and the Electronic Prescription for Controlled Substances Rules, as laid out by the DEA.

One of the main reasons that many healthcare providers are reluctant to use two-factor authentication more broadly is because it may impede workflows. However, recent advances in the technology mean that developments such as LDAP integration and Single Sign-On removes these impediments to workflows.

There’s a fair argument to be made that two-factor authentication is more feasible than constantly changing passwords. It is more user-friendly, as the user will only ever have to remember one password. This reduces the chance that said passwords will be written down and lost. However, though two-factor authentication provides a HIPAA-compliant alternative to passwords, CEs and their business associates who choose to use them must justify their decision. Should there be a breach in PHI, and an audit is necessary, this data will help determine liability.