What are the HIPAA Password Requirements?

Before answering the question what are the HIPAA password requirements, it is important to note that passwords are not a requirement of HIPAA if Covered Entities use an alternative authentication method to “verify that a person or entity seeking access to ePHI is the one claimed” (Security Rule Standard §164.312(d)).

According to the Department of Human Services´ Guide to the Technical Security Standards there are three ways in which Covered Entities can comply with this Security Rule Standard:

  • Implement an authentication method that requires something only known to the individual (i.e., a password or PIN).
  • Implement an authentication method that requires something the individual possesses (i.e., a smart card or key).
  • Implement an authentication method that requires something unique to the individual (i.e., a fingerprint or facial image).

Consequently, passwords are only a requirement of HIPAA if they are used as part of a unique name or number combination for identifying users and tracking user activity (Security Rule Standard §164.312(a)); in which case, Covered Entities are required to develop and implement procedures for creating, changing, and safeguarding passwords (Security Rule Standard §164.308(a)).

In most cases, Covered Entities do use username and password combinations to protect individuals´ medical records and other personal health and payment information against theft, loss, and unauthorized disclosure, so it is necessary to be aware of the HIPAA password requirements and the best way of enforcing HIPAA password policies to ensure compliance with the HIPAA Security Rule.

HIPAA Password Requirements

There is no further guidance about HIPAA password requirements. The reason why HIPAA is not more specific about passwords is to ensure legislation does not need to be updated every time there is a change in password and security best practices. For example, at the time when HIPAA was initially enacted, passwords consisting of a minimum of 6 letters was a best practice. Today, 6-digit alphanumeric passwords can be cracked using brute force algorithms within minutes.

Further, while passwords are currently ubiquitous and are the primary way accounts are secured, that could well change in the future due to advances in two-factor authentication and biometrics. HIPAA allows for future changes and is deliberately flexible so HIPAA-covered entities and their business associates can develop their own password policies – provided they comply with the Security Rule Standards referenced above.

Consequently, policies should be developed that stipulate how passwords are created, changed, and safeguarded. Policies should also address resetting passwords when it is reasonably believed a password has been compromised, shared with an individual other than the account holder, or in response to a cyberattack. Finally, policies for safeguarding passwords should stipulate saved passwords are encrypted and never stored in plain text.

How to Make Passwords HIPAA Compliant

While security experts agree that strong, difficult-to-guess passwords are required, there is considerable disagreement about the best approach for setting passwords and HIPAA password management. It is a recognized best practice to ensure that a minimum of 8 characters is used for passwords, that the password should not be a dictionary word, should combine upper- and lower-case letters, at least one number, and a special character.

Unfortunately, a password that meets the above requirements will undoubtedly be secure, but it will also likely be difficult to remember, especially when multiple passwords are required. That is likely to lead to employees writing passwords down or circumventing the password policy by creating memorable but easy-to-guess passwords – qwerty12345! For example. There is also some debate as to how often passwords need to be changed and whether password expiration is necessary.

The best approach to take is to base a HIPAA password policy on the latest advice from the National Institute of Standards and Technology (NIST). NIST publishes security guidance on password use and management and the guidance is regularly updated. The latest NIST password guidance can be found in NIST Special Publication 800-63B. By creating a password policy based on current NIST guidance, healthcare organizations will be able to meet the HIPAA password requirements and keep accounts and data secure.

Best Practices for Password Creation and Management

The HIPAA password requirements essentially require recognized password best practices to be followed, and these are indicated below:

  • Set a minimum password length of 12 characters – NIST recommends a maximum length of 64 characters.
  • Enforce the use of complex passwords requiring a mix of upper- and lower-case letters, numbers, and special characters.
  • NIST recommends creating memorable passwords. Enable the use of long passphrases to eliminate password complexity requirements without compromising security.
  • Block the use of commonly used weak passwords and dictionary words.
  • Avoid the use of password hints as they can make passwords much less secure.
  • Enable multi-factor authentication for all accounts to eliminate the need to regularly change passwords.
  • Educate users about good password hygiene, such as changing default passwords, not sharing passwords, and not reusing them on other platforms.
  • Consider using a password manager to help employees create and securely store complex passwords.

Use a HIPAA-Compliant Password Manager

One of the easiest ways to ensure complex, strong passwords are created that meet NIST standards and HIPAA password requirements is to use a password manager like Bitwarden that supports HIPAA compliance. A HIPAA-compliant password manager allows individuals to generate unique, strong, complex passwords for all accounts that meet an organization’s minimum password requirements and keep them secure, yet available.

The provider of a “zero-knowledge” password manager solution is not given access to PHI and is therefore not considered a business associate, but it is important that the company is reputable and has excellent security. The solution should be easy to use, feature end-to-end encryption, and should be able to scale to meet the needs of your organization.

Ideally, a password manager provider should adhere to the standards of the HIPAA Security Rule, especially since the passwords they store could allow access to internal systems containing ePHI. Ideally, a password manager should be chosen that has been audited for compliance with the HIPAA Security Rule.

HIPAA Password Requirements FAQs

What are the brute force tactics that make 6-digit passwords easy to hack?

Brute force attacks are when cybercriminals take advantage of password hacking software to attempt every possible password for a specific username. Although there are more than 56 billion possible combinations for a 6-digit alphanumeric password (consisting of a-z, A-Z, and 0-9), most brute force password cracking software can get through all the combinations within a day.

How much harder is to crack a password that includes special characters?

Any password that includes random special characters increases its complexity exponentially. There are 143,859 Unicode characters that can be used as a special character in a password compared to 62 alphanumeric characters. However, cybercriminals are aware that some people replace specific alphanumeric characters with specific special characters to help them remember their passwords (i.e., replacing “s” with “$”), and this is a practice best avoided.

What does it mean that passwords are “never stored in plain text”?

Employees often have multiple login credentials for multiple accounts and remembering each password can be difficult – especially when covered entities enforce the best practice of using long and complex passwords. Therefore, the temptation is to make a list of passwords and save them in a spreadsheet in plain text. The problem with this is that anybody with physical or remote access to the workstation can access the spreadsheet and all the passwords saved in it.

How does using password hints make passwords less secure?

Password hints are usually questions you complete the answers to so you can recover a password when you have forgotten it – for example, your birthday, where you were born, or your dog´s name. Employees with an active social media presence often have this information in their profiles or timeline, making it easier for a cybercriminal to access their accounts by finding out the answers to the password hint questions.

What makes a password manager HIPAA-compliant?

HIPAA is deliberately technology neutral, and there are no HHS-approved certifications for technology solutions, so it is incorrect to claim any technology is HIPAA-compliant – it is how the technology is used that determines compliance. Nonetheless, some password managers support HIPAA compliance better than others with (for example) access controls, audit logs, and automatic logoff capabilities.

How is it possible to tell if a password is a commonly-used or weak password?

There are multiple tools available on the Internet that can sweep password repositories to identify weak passwords or those that are known to have been compromised in a previous data breach. Alternatively, the Bitwarden password manager has a Health Check capability that performs a similar sweep and alerts users to weak, re-used, or compromised passwords.

What are the HIPAA password change requirements?

Although the text of HIPAA Includes a clause stating Covered Entities should implement procedures for creating, changing, and safeguarding passwords, this addressable requirement was written prior to NIST changing its recommendations for password best practices. The current guidance is that passwords should only be changed when there is evidence of compromise.

Are there HIPAA account lockout requirements?

Under the technical safeguards of the HIPAA Security Rule, there is an addressable implementation specification that Covered Entities should “implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” The purpose of this specification is to prevent the unauthorized disclosure of ePHI when a workstation or device is left unattended, but it is a security best practice to apply it to all workstation and devices.

Does HIPAA require MFA?

Multi-factor authentication (MFA) is not a requirement of HIPAA per se. However, if a Covered Entity conducts a risk assessment that identifies weaknesses in their information access management, MFA could be used as a reasonable and appropriate security measure to address the weaknesses.

Some people in our organization share passwords. Is this a violation of the HIPAA password requirements?

It depends on the reason why passwords are being shared. There are no circumstances in which passwords to systems containing ePHI should be shared because Covered Entities have to implement measures to identify users and track user activity. However, if a healthcare facility´s marketing team use the same social media accounts, there is a justifiable reason for passwords being shared.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA