Our LastPass review looks at this vault-based password manager from the perspective of an organization subject to the HIPAA Security Rule. We especially look to see whether the LastPass password manager is a suitable tool to support compliance with the password management requirements of the Administrative and Technical Safeguards.
There are two areas of the Security Rule that are particularly relevant to password managers. The first (45 CFR 164.308(a)(5)(d)) requires Covered Entities and Business Associates to implement procedures for creating, changing, and safeguarding passwords; while the second (45 CFR 164.312 (a), (b), and (d)) relates to access controls, audit controls, and verification controls.
Because HIPAA is technology-neutral, these provisions do not require the implementation of a password manager. Nonetheless, there are many password managers capable of satisfying these requirements that can also help organizations develop a culture of online security which can be beneficial to every element of a Covered Entity´s or Business Associate´s operations.
A Brief Introduction to Vault-Based Password Managers
LastPass is a vault-based password manager. This means that – other than under the free plan – LastPass customers can store and sync an unlimited number of passwords and other credentials across an unlimited number of devices regardless of the operating system, browser, or device type. LastPass can also help users better protect accounts against brute force attacks by generating complex passwords and supporting account protection with two-factor authentication (2FA).
When users visit a website or access an app for which login credentials have been saved, LastPass automatically completes the login box so that users do not have to remember unique, complex passwords for each account. LastPass can also generate 2FA codes, autofill addresses and payment details, and store and complete other credentials when required.
For businesses, the use of a password manager mitigates the risk of unauthorized access to accounts and databases if the password manager is used effectively. A password manager can also mitigate threats from phishing, malware, and ransomware, and reduce the number of calls made to the IT Help Desk when passwords are lost, forgotten, or otherwise unavailable. Quite simply, a password manager enhances security and productivity while reducing the cost of non-compliance.
Is LastPass a Good Vault-Based Password Manager?
LastPass was a very good vault-based password manager and although it still frequently appears at the top of experts´ reviews, the experts´ opinions are not often shared among customers. In part, the seeming popularity of LastPass is attributable to its early-to-market advantage, but it is also easy to set up and configure and has a user-friendly interface that encourages adoption. It also used to have a very good free plan which compared well to free plans offered by other vendors.
However, in 2021, LastPass alienated a lot of its customers by limiting the free plan to one device type only. More concerningly for business customers, LastPass also introduced charges for add-on features that were previously included as standard in its business plan. The introduction of these charges reduced the price-competitiveness of the LastPass password manager and raised concerns that more charges could be introduced in the future.
To add to these woes, LastPass´ customer service appears to have disappeared from the face of the Earth – affecting both business customers and personal users who were forced to upgrade their free plan to a premium plan to continue using the password manager across multiple device types. One review site has failed to get a single positive review for LastPass in the last twelve months, and multiple Reddit threads are filled with complaints about LastPass´ recent poor performance.
So, is LastPass Suitable for HIPAA Compliance?
No technology is “suitable” for HIPAA compliance. It is how the technology is used that determines compliance. Nonetheless, the features that made LastPass popular a few years ago still exist. Therefore, Covered Entities and Business Associates can easily create, change, and safeguard unique, complex passwords for each account, assign them securely to authorized users, verify user identity, control access, and order event logs to comply with Security Rule requirements for audit controls.
Additionally, as well as the user-friendly interface encouraging adoption, each Teams Plan comes with a private vault for each user to save their own login credentials and confidential information across unlimited devices, while the Business Plan includes a free Family Plan for each user to encourage best password practices and help further develop a culture of online security. All plans now support password-less logins to mitigate the threats from phishing and brute force attacks.
Where issues exist, they relate to cost, support, and performance. There are no reported issues with security. Therefore, while our LastPass review demonstrates that it may not be the value for money it once was and you may have to sort out any performance issues yourself, LastPass can be a suitable option to support HIPAA compliance – subject to acquiring a Business Associate Agreement if the password manager is used to store, share, or transmit ePHI (as required according to HHS guidance).
LastPass Teams and Business Plans
LastPass offers two types of subscription plans – Teams and Business. The Teams Plan is suitable for small to medium-sized businesses with 50 employees or less and costs $48.00 per user per year. This includes Dark Web Monitoring for compromised passwords, a management dashboard through which you can access event logs, and a basic two-factor authentication service.
The Business Plan is for an unlimited number of employees and includes features such as a customizable password policy engine and pre-integrated SSO apps for an annual cost of $72.00 per user per year. However, for advanced SSO apps and advanced two-factor authentication, you will need to pay an additional $7.50 per user per year – even if just a handful of employees will use these features. This could result in a considerable waste of money.
Therefore, is it worth comparing the costs of LastPass´ plans with other vendors´ plans with similar capabilities. For example, Bitwarden charges $36.00 per user per year for its Teams Plan (for an unlimited number of employees) and $60.00 per user per year for its Business Plan with no add-on costs. The major differences between the two password managers are that Bitwarden´s Dark Web Monitoring is manual rather than automatic, and you can self-host Bitwarden´s software if desired.
LastPass Review Conclusion
As much as we like the LastPass user interface and can see how it encourages adoption, the conclusion of our LastPass review is that there are enough concerns to make us look elsewhere. For example, we may not have seen the last of the price increases nor the buggy software releases, and we may never again see LastPass´ customer service. These are concerns that should raise red flags for any organization considering the first-time implementation of a password manager.
By comparison, vendors that have a transparent pricing policy, build their password managers on open source software, and provide clear online documentation to resolve any performance issue inspire more confidence – especially if they will sign a Business Associate Agreement to comply with HIPAA requirements. For these reasons – and the better value-for-money – we recommend that Covered Entities and Business Associates evaluate the Bitwarden password manager.