HIPAA-Compliant Password Manager

With regards to what the HIPAA regulations says about passwords or HIPAA-compliant password managers, there isn´t much to go on. The only mention of the word “password” in the Act appears in the Administrative Safeguards of the HIPAA Security Rule in the section covering Security Awareness and Training (45 CFR § 164.308). This section states Covered Entities must implement “procedures for creating, changing, and safeguarding passwords”.

While other areas of the same section could be interpreted as relating to passwords, possibly a more relevant section of the Act falls within the Technical Safeguards of the HIPAA Security Rule (45 CFR § 164.312), where Covered Entities are required to implement technical procedures for systems that maintain ePHI “to grant access to only those people who have been granted access rights”.

Under this section of the Technical Safeguards, Covered Entities are required to “assign a unique name and/or number for identifying tracking user identity”. Covered Entities are also required to “implement procedures to verify that a person or entity seeking access to ePHI is the one claimed”. Although this clause doesn´t necessarily insist on the use of “passwords”, using passwords does seem to be the most logical way to comply with these particular requirements.

The Issue with Managing Passwords in a HIPAA-Compliant Manner

According to the latest healthcare data breach statistics, the majority of reported data breaches are attributable to hacking; while, according to Verizon´s 2020 Data Breach Investigations Report, more than 80% of data breaches attributable to hacking can be traced back to successful brute force attacks against weak passwords and the theft of log-in credentials via phishing emails.

To mitigate the threat from hacking and potential penalties for HIPAA data breaches, Covered Entities should create, change, and safeguard passwords in a HIPAA-compliant manner – meaning policies should be put in place to prevent the use of weak passwords, the reuse of passwords across multiple accounts, and the disclosure of passwords to unauthorized parties.

However, in an enterprise-scale organization, the potential exists for users to create and change hundreds of passwords every day, and there could be tens of thousands of passwords in need of safeguarding. It is not humanly possible to manage passwords in a HIPAA-compliant manner at this scale, let alone monitor that a person or entity seeking access to ePHI is the one claimed.

Monitoring that a person or entity seeking access to ePHI is the one claimed is a big problem. In 2017, a survey of healthcare professionals found that 73% of respondents had used a colleague´s login credentials to access medical data. While the majority of respondents were students or interns who had not yet been given their own login credentials, the fact that a colleague had provided the credentials demonstrates a lack of managing passwords in a HIPAA-compliant manner

HIPAA Compliance and Password Managers

While most commercial password managers can be configured to enforce the use of strong passwords, reduce employee susceptibility to phishing, and implement procedures for creating, changing, and safeguarding passwords, not all have the security mechanisms required to comply with HIPAA – for example, end-to-end encryption, automatic log-off, and audit logs to identify who has accessed password-protected accounts. An example of a password manager that can help with HIPAA compliance is Bitwarden.

So, Is There Such a Thing as a HIPAA-Compliant Password Manager?

There is no such thing as a HIPAA-compliant technology because it is how the technology is used, rather than what it does, that determines compliance. Furthermore, HIPAA compliance is an ongoing process. Therefore, a technology could meet the criteria to support HIPAA compliance at any given moment in time; but, one update or one specification change later, there could be gaps in the technology´s security that result in the unauthorized disclosure, loss, or theft of ePHI.

Therefore, the closest there can possibly be to a HIPAA-compliant password manager is a technology with the security mechanisms like end-to-end encryption, automatic log-off, and audit logs) to support HIPAA compliance. How the technology is used still determines compliance, but at least a fully-featured password manager provides the opportunity to manage passwords in compliance with the Administrative and Technical Safeguards of the HIPAA Security Rule.

One further consideration for HIPAA-compliant password management is that whatever password manager is implemented, it has to have ease of use. If the configuration of the password manager is too complicated, if integrations with other IAM solutions are too intricate, or if end users do not understand how to access passwords, the password manager will likely not be used in compliance with HIPAA with the potential for accounts being hacked.

HIPAA-Compliant Password Manager Q&A

How does a password manager such as Bitwarden prevent weak and reused passwords?

Although the majority of passwords used in healthcare are created, assigned, and changed when necessary at a higher level than user level, system administrators can apply policies to the Bitwarden platform that stipulate minimum password requirements and automatically block the deployment of any passwords already in use.

Does the Bitwarden password manager work on different systems, devices, and browsers?

Passwords stored on the Bitwarden platform can be accessed via desktop apps, mobile apps, web browser plugins, and via the web directly regardless of the type of device or operating system being used. Data is synchronized across all access channels so users have access to up-to-date login credentials at all times.

How do administrators monitor and control password sharing through Bitwarden?

When passwords are shared through the Bitwarden password manager, administrators manage who has access to shared passwords via an architecture consisting of organizations, groups, and collections. Within this architecture, administrators have total visibility over password activity via detailed event logs and policy reports.

Can Bitwarden be used to store data other than passwords?

Bitwarden can be used to store cards details securely (i.e., for auto-filling online payments), personal and corporate profiles (i.e., for auto-filling names, addresses, etc.), and plaintext notes, files, and attachments. However, Bitwarden should not be used for storing or sharing ePHI, as this would be a breach of the HIPAA Technical Safeguards.