HIPAA Password Policy

Finding suitable information about what should be included in a HIPAA Password policy can be difficult due to HIPAA designating password management as an “addressable” implementation specification but failing to specify what a HIPAA-compliant password policy should consist of.

An “addressable” implementation specification of HIPAA means that, unless a Covered Entity or Businesses Associate implements an alternate security measure that accomplishes the same purpose or assesses the implementation specification is unnecessary (and documents why it is unnecessary), the implementation specification must be addressed.

In the context of a HIPAA password policy, the only text in the Act relating to the use of passwords is that Covered Entities and Business Associates must implement “procedures for creating, changing, and safeguarding passwords” (45 CFR § 164.312). This implies the Act requires the use of passwords, and it is how they are used and managed that has to be addressed.

So, is a HIPAA Password Policy Necessary?

Because the text of HIPAA does not specify minimum guidelines for password security, it is not possible to provide advice about HIPAA-compliant password policies. However, under the Administrative Safeguards of the HIPAA Security Rule, Covered Entities are required to conduct risk assessments to identify potential vulnerabilities and implement security measures to protect ePHI against reasonably anticipated threats.

One reasonably anticipated threat to the integrity of ePHI is weak passwords due to a weak HIPAA password policy. Weak passwords and a lack of password protection are responsible for more than 80% of hacked accounts according to Verizon´s 2020 Data Breaches Investigation Report, which attributes a high percentage of data breaches to brute force attacks and phishing – many large organizations experiencing in excess of 30 million brute force attempts each year.

Consequently, Covered Entities should adopt and enforce policies that promote password best practices to prevent the unauthorized disclosure of ePHI. What these policies and best practices consist of will likely vary from Covered Entity to Covered Entity depending on the nature of their operations, the vulnerabilities uncovered by a risk assessment, and the Covered Entity´s propensity to risk determined by a risk analysis.

Considerations when Developing a HIPAA Password Policy

When developing password best practices for HIPAA compliance, it is necessary to bear in mind that the HIPAA password requirements of “creating, changing, and safeguarding passwords” not only apply to user accounts (i.e., email accounts), but also to systems used to create, process, transmit, and store ePHI (i.e., EHRs and nurse call systems), and components used in integrated healthcare applications that are connected via the Internet or via the public cloud.

It is also important to be aware that HIPAA prohibits the sharing of passwords to access systems containing ePHI. This is because, while there may justifiable reasons for sharing passwords in IT, Finance, or Marketing, the Technical Safeguards of the HIPAA Security Rule require Covered Entities to implement procedures that verify a person accessing ePHI is who they claim to be, and that users are assigned a unique name or number (i.e., a password) for identifying and tracking user identity (45 CFR § 164.312).

With potentially thousands of passwords being used by a healthcare organization, monitoring compliance with a HIPAA password policy is humanly impossible. Therefore, it is recommended Covered Entities implement a password manager that can alert users to weak passwords, passwords assigned to more than one user or device, and recycled passwords that may have been exposed in a previous data breach.

Why You May Also Need a HIPAA Password Management Policy

It was mentioned previously that Covered Entities should adopt and enforce policies that promote password best practices to prevent the unauthorized disclosure of ePHI. These policies are most often understood to be targeted at end-users and stipulating minimum password requirements such as the minimum length of a password and how many numbers or special characters should be included in the password.

However, in larger organizations, it is often the case passwords are created and assigned at manager or administrator level by department heads – who also create the end-user password policies. This scenario has the possibility of end-user password policies not being applied consistently across the organization. To address this possibility, Covered Entities should develop a HIPAA password management policy – the contents of which are determined by the risk analysis.

For example, a HIPAA password management policy may mandate that default passwords must be changed when any new software or system is implemented. The policy might also stipulate how frequently passwords should be changed (if at all), or that passwords protecting ePHI and data of a confidential nature should be longer and more complex than passwords protecting (say) subscriptions to online medical journals.

How Password Managers Mitigate the Threat from Phishing

Password managers, by their nature, monitor user browsing activity so that if the user visits a website for which the password manager maintains a saved password, the password manager can autofill the log-in credentials. When a user visits a website by clicking a hyperlink in an email, and the website requires the user to enter their log-in credentials, the password manager´s browser extension indicates whether or not a password for the website is stored in its vault.

If the URL of a phishing website is not the same as the ULR stored in its vault, the password manager´s browser extension will show that no password exists. This alerts the user to the fact they have navigated onto a fake website so they can leave the website immediately and report the phishing email to security. However, for this process to be effective when employees are working remotely, it is necessary to implement a password manager that synchronizes saved passwords across all devices, operating systems, and browsers.

One further capability of password managers that help organizations in the healthcare industry comply with HIPAA is event logs. It is a requirement of HIPAA that all access to ePHI is monitored and logged, but password manager event logs can also alert Covered Entities when passwords are changed without authorization, when multi factor authentication has been disabled, and when login attempts have failed – often an indicator of a brute force attack.

HIPAA Password Policy Q&As

How does a password manager such as Bitwarden support the requirement that Covered Entities verify a person accessing ePHI is who they claim to be?

When a Covered Entity implements a password manager such as Bitwarden, each user is assigned a user ID (usually a name or email address) and master password to access their password vault. If a password is used from a user´s vault to access ePHI, event logs record the event to help Covered Entities comply with the requirement.

How does Bitwarden alert users to weak, reused, and recycled passwords?

Within all Bitwarden clients, the opportunity exists to conduct a password health check. The health check compares passwords stored in user vaults to password best practices and lists of passwords known to have been exposed in previous data breaches. Covered Entities can also use the health checks to monitor compliance with a HIPAA password policy.

Can Covered Entities enforce HIPAA password policies with Bitwarden?

Bitwarden gives Covered Entities the opportunity to apply policies that stipulate the minimum requirements for passwords. For example, a password may have to be a minimum of eight characters in length, contain at least two numbers and two special characters and pass a database check against passwords known to have been compromised in previous data breaches.

In circumstances in which password sharing is allowed, how does Bitwarden control who has access to which passwords?

If, for example, multiple members of an IT team require access to login credentials for a cloud account, an administrator creates a group of team members and shares the login credentials with the group. Whenever an authorized IT team member visits the cloud account, the login credentials are completed automatically without any user interaction.