Considering how important passwords are for preventing unauthorized access, you may be surprised to hear that passwords are only an addressable requirement of the administrative safeguards of the HIPAA Security Rule, rather than a required element. That does not mean the HIPAA password requirements are optional. Passwords must be considered as an administrative safeguard for securing accounts and preventing unauthorized access to electronic protected health information (ePHI) and if they are not used, HIPAA requires an alternative method of securing accounts that provides an equivalent level of protection.
45 CFR § 164.308 a(5)(D) of the HIPAA Security Rule relates to password use and management. This provision requires procedures to be developed and implemented for creating, changing, and safeguarding passwords, but that is as specific as HIPAA gets.
There is a good reason why the HIPAA Rules are not more specific about passwords, and that is to ensure that the HIPAA legislation does not need to be updated every time there is a change in password and security best practices. At the time when HIPAA was initially signed into law, passwords consisting of a minimum of 6 characters was the best practice. Today, a 6-digit alphanumeric password could be cracked by hackers very quickly.
Further, while passwords are currently ubiquitous and are the primary way that accounts are secured, but that could well change in the future. HIPAA allows for these changes by requiring passwords to be used to secure accounts or an alternative method that provides an equivalent or greater level of protection, such as fingerprint scanners and other biometric security measures.
HIPAA Password Requirements for 2021
The Rules of the Health Insurance Portability and Accountability Act incorporate flexibility, so HIPAA-covered entities and their business associates must develop their own password policies and make sure they meet the HIPAA password requirements.
That means creating a HIPAA password policy for the entire organization and ensuring that policy is enforced. The HIPAA password policy requirements are to implement a structure for passwords, specify the minimum number of characters, and the types of characters that must be included in a password.
HIPAA password management requires a policy to be created that specifies the frequency of changing passwords. HIPAA does not specify the frequency at which passwords should be changed, as this is left to the discretion of each entity. Policies and procedures should also be created for resetting passwords, such as when it is reasonably believed that a password has been compromised, shared with an individual other than the account holder, or in response to a cyberattack. Policies should also be developed for safeguarding passwords, such as ensuring any saved passwords are encrypted and never stored in plain text.
How to Make Passwords HIPAA Compliant
While security experts agree that strong, difficult-to-guess passwords are required, there is considerable disagreement about the best approach for setting passwords and HIPAA password management. It is a recognized best practice to ensure that a minimum of 8 characters is used for passwords, that the password should not be a dictionary word, should combine upper- and lower-case letters, at least one number, and a special character.
Unfortunately, a password that meets the above requirements will undoubtedly be secure, but it will also likely be difficult to remember, especially when multiple passwords are required. That is likely to lead to employees writing passwords down or circumventing the password policy by creating memorable but easy-to-guess passwords – qwerty12345! For example. There is also some debate as to how often passwords need to be changed and whether password expiration is necessary.
The best approach to take is to base your HIPAA password policy on the latest advice from the National Institute of Standards and Technology (NIST). NIST publishes security guidance on password use and management and the guidance is regularly updated. The latest NIST password guidance can be found in NIST Special Publication 800-63B.
By creating a password policy based on current NIST guidance, healthcare organizations will be able to meet the HIPAA password requirements and keep their accounts and data secure.
Best Practices for Password Creation and Management
The HIPAA password requirements essentially require recognized password best practices to be followed, and these are indicated below:
- Set a minimum password length of 8 characters – NIST recommends a maximum length of 64 characters.
- Enforce the use of complex passwords requiring a mix of upper- and lower-case letters, numbers, and special characters.
- NIST recommends creating memorable passwords. Enable the use of long passphrases to eliminate password complexity requirements without compromising security.
- Block the use of commonly used weak passwords and dictionary words.
- Avoid the use of password hints as they can make passwords much less secure.
- Enable multi-factor authentication for all accounts to eliminate the need to regularly change passwords.
- Educate users about good password hygiene, such as changing default passwords, not sharing passwords, not reusing them on other platforms.
- Consider using a password manager to help employees create and securely store complex passwords.
Use a HIPAA-Compliant Password Manager
One of the easiest ways to ensure that complex, strong passwords are created that meet NIST and HIPAA password requirements is to use a password manager like Bitwarden. A password manager allows individuals to securely store password for all of their accounts in a secure repository. Password managers also have a feature that allows employees to generate unique, strong, complex passwords for all accounts that meet an organization’s minimum password requirements and comply with current NIST guidance. Employees will only then need to create one master password that they will use to access their password vault. A password manager will help you meet the HIPAA password management requirements.
The provider of a password manager solution is not given access to PHI and is therefore not considered a business associate, but it is important that the company is reputable and has excellent security. The solution should be easy to use, feature end-to-end encryption, and should be able to scale to meet the needs of your organization.
Ideally, a password manager provider should adhere to the standards of the HIPAA Security Rule, especially since the passwords they store could allow access to internal systems containing PHI. Ideally, a password manager should be chosen that has been audited for compliance with the HIPAA Security Rule.