Share this article on:
The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication.
The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.
Experts Disagree on Best HIPAA Compliance Password Policy
Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.
Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time, as a competent hacker should be able to crack any password within ten minutes using a combination of technical, sociological, or subversive means.
There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tolls. Although these tools can also be hacked, the software saves passwords in encrypted format, making them unusable by hackers.
The HIPAA Password Requirements are Addressable Requirements
One important point to mention when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be put off to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”
In the context of the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if an alternative security measure can be implemented that accomplishes the same purpose as creating, changing and safeguarding passwords, the Covered Entity is in compliance with HIPAA.
Two-factor authentication fulfills this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database containing PHI also has to insert a PIN code to confirm their identity. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.
Two Factor Authentication is Already Used by Many Medical Facilities
Interestingly, two factor authentication is already used by many medical facilities, but not to safeguard the confidentiality, integrity and security of PH. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.
Healthcare IT professionals will be quick to stress that two factor authentication can slow workflows, but recent advances in the software allow for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only transmits PIN codes (and not PHI) the software is HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords. Effectively, Covered Entities never need change a password again.
The only thing Covered Entities have to remember before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be documented. This will satisfy the HIPAA requirements for conducting a risk analysis and auditors if the Covered Entity is chosen to be investigated as part of HHS´ HIPAA Audit Program.