As the guiding principle for security and privacy in the healthcare industry, HIPAA rules still reign. In the face of an increasingly digital landscape and growing IT security threats for healthcare, HIPAA compliance is more important than ever.
But, as most healthcare organizations know, HIPAA standards are often vague and difficult to interpret consistently. Yet, non-compliance can be both a security vulnerability and an expensive liability. Fines, mitigation, and settlement fees for HIPAA violations and any resulting data breaches can really add up.
This is one of the reasons that covered entities and business associates rely on the HITRUST CSF®: to provide a clear framework for HIPAA compliance.
Poor Password Hygiene Is a Major Vulnerability for Healthcare
Ensuring that the passwords used within the healthcare organization are HIPAA complaint, is an important measure not just for avoiding fines. It’s also a critical step in safeguarding patient privacy and electronically protected health information (PHI or ePHI).
“Particularly in the healthcare sector, deficient user authentication and excessive user permissions are frequently named as the leading risks to the enterprise,” according to Health IT Security. Common shortcomings related to passwords include:
- Lack of strength,
- Controls that are single-sign-on,
- Transmitting passwords via email,
- Employees writing passwords down, and
- Absence of an automatic account blocking measure for multiple failed login attempts.
Passwords may not seem like a big deal, but weak password policies and procedures make it easier for hackers to successfully access your data. This is especially true for brute-force attacks and ransomware attacks.
HIPAA Password Requirements
Password management policies are cited in the Administrative Safeguards section of the HIPAA Security Rule. Under the paragraph about security awareness and training, it states:
“Password management – Procedures for creating, changing, and safeguarding passwords.”– 45 CFR § 164.308 – Administrative safeguards, HIPAA
But it does not outline what type of procedures should be implemented or provide standards that password management should meet. It’s also true that effective password security actually touches every part of the standards outlined by HIPAA. For example, it relates to safeguards for physical access to sensitive data and technical safeguards like authentication procedures.
Does HIPAA Require Password Changes?
Unfortunately, the actual requirements as to password policies and procedures are unclear. It states that procedures regarding password changes should exist. So, we can assume, at least, that a password reset would be needed in case of the password database being compromised or any other verified or suspected cyberattack.
What Is the HIPAA Policy for Password Strength?
HIPAA regulations do not identify specific requirements for password strength. Standard best practice requires at least 8-10 characters, including symbols, numbers, uppercase and lowercase letters.
3 Steps from HITRUST® for HIPAA-Compliant Password Policies & Procedures
This lack of specificity makes it difficult for organizations to know what to do to ensure password procedures are HIPAA compliant. And this is where the HITRUST CSF framework proves its practical value. It provides real-world indications for an effective password policy, strengthening network security and taking the guesswork out of compliance.
- Require Strong Passwords
Strong password requirements help to protect the organization from brute-force and dictionary attacks. Hacking and password cracking tools are less effective when passphrases are uncommon and don’t include personal details, like birthdates. Password policies and managers should enforce these guidelines. They should also prevent users from:
- Using passwords that are less than 10 characters,
- Repeating a series of identical characters,
- Updating passwords with incremental numbers (at least four characters should be changed for each password reset),
- Recycling old passwords (the previous four combinations should be blocked), and
- Utilizing passwords that may have been exposed in a data breach.
- Schedule Regular Password Resets
According to the HITRUST CSF, passwords should be programmed to expire after 90 days and privileged passwords should expire after 60 days. Though there is some disagreement in the cybersecurity industry about the effectiveness of forced password resets, when done properly, this measure decreases vulnerability linked to compromised credentials.
- Store Password Files Securely
Healthcare organizations should have clear password hygiene policies and ensure that staff are aware of these policies. This includes:
- Not writing down or saving passwords in unauthorized places, and
- Storing passwords separately from application system data.
As an actionable protection measure, encryption should be implemented whenever passwords are stored or transmitted.
HIPAA-Compliant Password Tools
Password management tools can help your healthcare organization to meet HIPAA regulations and make systems easier to use for doctors and staff. They can be programmed to enforce strong password security policies, like those outlined by HITRUST. Quality password managers screen for common password combinations and breached credentials. These tools are extremely valuable for continuous monitoring of password security and are automated to save your IT team time.
Compliance Without Anxiety – I.S. Partners
Contact our team of auditing, cybersecurity, and compliance assessors today to find out how we can assist your healthcare organization.