The HIPAA Password Requirements and the Best Way to Comply With Them

Share this article on:

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements for safeguarding passwords is to implement two factor authentication.

The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.

Experts Disagree on Best HIPAA Compliance Password Policy

Although security experts agree the need for a strong password, there is some disagreement about the best format for passwords and the best HIPAA compliance password policy, including the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.

Whereas some experts claim the best HIPAA compliant password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time. A competent hacker should be able to crack most user-generated password within ten minutes using a combination of technical, sociological, or subversive methods (i.e. social engineering).

There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tools. Password managers allow long, complicated and difficult-to-crack passwords to be created, but get around the problem of employees having to remember those passwords. A unique password can be created for each account, and the password vault secured with a very strong master password or pass phrase. Although these tools can also be hacked, the software saves passwords in encrypted format, making them unusable by hackers.

The HIPAA Password Requirements are Addressable Requirements

One important point to mention when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be put off to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In the context of the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if an alternative security measure can be implemented that accomplishes the same purpose as creating, changing and safeguarding passwords, the Covered Entity will be able to meet the HIPAA password requirements.

One suitable alternative to passwords is the use of biometric methods of identification, such as finger prints or facial recognition software. However, until these technologies are more widely available, passwords are here to stay. In order to comply with the HIPAA password requirements, covered entities should follow the latest password advice from the National Institute of Standards and Technology (NIST).

Two Factor Authentication is Important for Improving Password Security

Two-factor authentication – or multi-factor authentication – is a method used to make passwords more secure. As the name suggests, it involves using more than one method for authenticating a user. In addition to a username/password combo, a second factor is required to authenticate a user before access to a system is granted. The second factor could be a one-time code or PIN sent to a mobile device or a token – I.e something a person knows (a password) and something a person has (a token or one-time pass code).

In the event of a password being compromised in a phishing attack, for example, that password alone would not be sufficient to grant access to an account. 2FA or MFA is therefore one of the best methods of protecting against phishing attacks.

Two factor authentication is already used by many medical facilities, mostly in relation to credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by entities required to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.

One of the problems with 2FA and MFA is it can slow workflows, but advances in 2FA and MFA solutions have allowed LDAP integration and Single Sign-On between different healthcare technologies and systems which can eliminate the negative impact on workflows while greatly improving security. With this additional protection for passwords, there is less need for regular password changes to be made.

Covered Entities should bear in mind that when decisions are made to comply with the HIPAA password requirements, that those decisions should be documented along with the reasons why the decisions were made. In the event of a HIPAA audit, or a compliance or data breach investigation, covered entities must be able to show the rationale behind security decisions to meet the requirements of the HIPAA Security Rule.

Meeting HIPAA Password Requirements and Improving Security

It was mentioned above that most user-generated passwords can be cracked within ten minutes. That may seem an outrageous claim to some IT professionals, but this tool on the random-ize password generating website will give you an idea of how long it could take a determined hacker to crack any password by brute force alone. Social engineering and phishing will likely accelerate the speed at which the hacker succeeds.

Randomized passwords containing numbers, symbols and a mixture of upper and lower case letters take a longer to crack but they are still crackable. They are also much harder for users to remember. In order to meet an organization’s password requirements for complexity, employees often write their passwords down or store them electronically on a different device, such as an unsecured smartphone. Accessing password-protected accounts from secondary devices increases the risk of a data breach. Secondary devices often lack appropriate security protections and can contain malware that logs keystrokes and captures passwords as they are entered. Covered Entities must either introduce policies to limit the devices that can be used to access password-protected accounts, or find an alternative to the HIPAA password requirements.  Passwords are just one element of HIPAA security requirements – a more comprehensive HIPAA security guide is available here.

One of the ways to improve password security and stop employees from engaging in insecure practices such as writing passwords down is to use a password management tool. Password managers such as Bitwarden allow employees to generate highly complex passwords that are extremely difficult for hackers to crack and to create a unique password for all accounts. Those passwords are stored in an encrypted password vault, which can be accessed from multiple devices if the master password is provided.  Provided a very strong master password is created for the vault – a passphrase of 16 characters is ideal – these solutions are secure and ideal for improving password security in healthcare.


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On