How Often Should Passwords be Changed in the EHR System?
In 2010, the Office of the National Coordinator for Health Information Technology (ONC) – a branch of Department for Health and Human Services (HHS) – published “10 Best Practices for the Small Healthcare Environment” (PDF). The publication – the ONC claimed – was “not intended to provide guidance on how to comply with HIPAA”, but rather “a first step to the effective setup of new EHR systems in a way that minimizes the risk to health information maintained in EHRs”.
However, the timing of the publication was not an accident. A year earlier, Congress had passed the HITECH Act and Meaningful Use program which incentivized Covered Entities to adopt technology for creating, maintaining, and providing access to Protected Health Information. The HITECH Act also required Business Associates to comply with HIPAA for the first time and, as many Business Associates operate in “small healthcare environments”, the publication was relevant.
The publication also came at a time when larger Covered Entities, who had not previously adopted technologies such as EHR systems, were now doing so to benefit from the Meaningful Use program. However, as healthcare providers and third-party suppliers switched to new systems, it often meant new processes and procedures had to be introduced so the new systems – and their use – were compliant with the Administrative, Technical, and Physical Safeguards of the HIPAA Security Rule.
The HIPAA Security Rule, Passwords, and EHT Systems
The HIPAA Security Rule had been introduced in 2003 with the objective of ensuring Covered Entities (and, from 2009, Business Associates) implemented “safeguards to protect the confidentiality, integrity, and availability of electronic Protected Health Information”. How Covered Entities were intended to achieve the objective was open to interpretation due to the intentionally vague language of the Security Rule and because the Rule was technology neutral.
With regards to HIPAA password rules, the word “Password” is only mentioned in the Administrative Guidelines – where Covered Entities are required to adopt procedures for “creating, changing, and safeguarding passwords” (45 CFR § 164.308). However, under the Technical Safeguards, Covered Entities are required to “implement procedures to verify that a person or entity seeking access to ePHI is the one claimed” (45 CFR § 164.312). Thus, passwords are required for EHR systems.
There was no indication in the HIPAA Security Rule how often passwords should be changed in the EHR system – if at all – so most Covered Entities followed the recommendations of the National Institute of Standards and Technology (NIST) “Special Publication 800-63” (PDF – Please note this version has now been withdrawn), which included a section on password best practices, within which it was recommended passwords are changed at least every ninety days.
ONC Best Practices Borrow Heavily from NIST Guidelines
If you compare the ONC´s 2010 “10 Best Practices” and NIST´s 2006 “Special Publication 800-63”, the sections relating to passwords are practically identical; and, because it came at a time when many Covered Entities and Business Associates were trying to get their heads around the complexities of the HIPAA Security Rule, the password best practices were adopted as guidelines for HIPAA compliance, despite the publication´s assertion this was not the intention.
However, when – in 2017 – NIST revised its recommendations about changing passwords from “at least every ninety days” to “only when necessary” (see “Special Publication 800-63b”) the ONC failed to revise its “10 Best Practices”. Therefore, the situation now exists where some Covered Entities are still being guided by the ONC´s best practices (or out-of-date training modules), while others have changed their policies and procedures to align with the NIST´s recommendations.
Consequently, there is no right or wrong answer to the question how often should passwords be changed in the EHR system. Provided that, when changed, passwords don´t have a common transformation (for example replacing “passwordfor2020” with “passwordfor2021”), Covered Entities should be guided by risk assessments and operating procedures to determine whether EHR passwords should be changed and when – notwithstanding the current NIST recommendations.
The Current NIST Password Recommendations
The current NIST password recommendations represent a significant change to the original guidance and therefore have been summarized in a separate blog. However, In the context of how often should passwords be changed in the EHR system, there are three scenarios in which non-scheduled changes should be made:
- When weak or reused passwords are identified
- When passwords are found to be compromised by a third party.
- When employees have shared passwords to EHRs or other systems protecting ePHI.
While it may be possible to manually search for and identify weak, reused, compromised, and shared password in a small healthcare environment, it is impossible for larger Covered Entities and Business Associates to comply with this area of HIPAA password management without implementing a fully-featured password manager that includes health check capabilities.
Equally important during periods of remote working or when Covered Entities adopt BYOD policies, is that password managers are effective across all platforms, devices, and operating systems, and that they support access logs and audit reports. These capabilities will help Covered Entities comply with the requirement to “verify that a person or entity seeking access to ePHI is the one claimed” and identify weaknesses in password policies throughout the organization – not just with regards to EHR systems.