The HIPAA Password Requirements and the Best Way to Comply With Them
The HIPAA password requirements are a combination of Administrative and Technical Safeguards designed to manage and monitor access to PHI. Covered entities and business associates can comply with the requirements by implementing 2FA and password managers with logging capabilities.
Understanding the HIPAA password requirements is not straightforward. HIPAA is intentionally technology-neutral; so whereas Security Standard §164.312(d) stipulates covered entities and business associates must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”, there is no indication what procedures should be implemented or even that user verification should be password-based.
Guidance published by the Department of Health and Human Services suggests there are three ways in which users can verify their identity:
- With something only known to the user, such as a password or PIN,
- With something the user possesses, such as a smart card or key, or
- With something unique to the user, such as a fingerprint or facial image.
In addition to the above, a required implementation specification of the Access Controls Security Standard (§164.312(a)) stipulates that covered entities and business associates assign a unique name and/or number for identifying and tracking user identity. Again, this does not necessarily mean verification should be password-based, as a username with biometric authentication could satisfy this requirement.
So, are there HIPAA Password Requirements?
In the whole text of HIPAA, passwords are only mentioned once – in the Administrative Safeguards of the Security Rule under the Standard relating to Security Awareness and Training (§164.308(5)). This Standard includes implementation specifications relating to procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.
However, these are “addressable” implementation specifications inasmuch as covered entities and business associates do not have to comply with the specification if alternate security measures are implemented that accomplish the same purpose – for example, a username with biometric authentication. In this scenario, procedures for creating, changing, and safeguarding passwords would be unnecessary .
The HIPAA password requirements only apply when covered entities and business associates are unable to verify user identities – and track user activities – by any means other than a username and password combination. In cases in which the HIPAA password requirements apply, covered entities and business associates should develop a HIPAA compliance password policy.
Experts Disagree on the Best HIPAA Compliance Password Policy
Although security experts agree on the need for login credentials to use a strong password, there is some disagreement about the best format for passwords (i.e., a mix of alpha-numeric and special characters or a more memorable three word passphrase) and the best HIPAA compliance password policy – including the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.
Whereas some experts claim the best HIPAA compliant password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time. A competent hacker should be able to crack most user-generated passwords within ten minutes using a combination of technical, sociological, or subversive methods (i.e., social engineering).
There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tools. Password managers generate long, complex, and difficult-to-crack passwords and overcome the issue of users having to remember their passwords by auto-filling login credentials when the user visits a website for which login credentials are stored.
Two Factor Authentication is Important for Improving Account Security
Two-factor authentication – or multi-factor authentication – is a method used to make accounts more secure. As the name suggests, it involves using more than one factor for user verification. So, in addition to entering a username and password, the user has to go through a further authentication stage in which they would enter a one-time code or PIN sent to their mobile device.
What this means for account security is that, in the event of login credentials being compromised in a phishing attack, for example, the username and password alone would not be sufficient to allow unauthorized access to an account. Two-factor authentication is one of the best methods of protecting ePHI against phishing attacks.
Two-factor authentication is already used by many medical facilities, mostly in relation to credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by entities required to comply with the DEA´s Electronic Prescription for Controlled Substances Rules. It would not cause a major change in working practices if HIPAA two-factor authentication formed part of a HIPAA compliance password policy.
One of the problems with two-factor authentication is it can slow workflows, but advances in 2FA solutions have allowed LDAP integration and Single Sign-On between different healthcare systems which can eliminate the negative impact on workflows while greatly improving security. With this additional protection for passwords, there is less need for regular password changes.
Covered entities should bear in mind that when decisions are made to comply with the HIPAA password requirements, those decisions must be documented along with the reasons why the decisions were made. In the event of a HIPAA audit, or a compliance or data breach investigation, covered entities must be able to show the rationale behind security decisions to meet the requirements of the HIPAA Security Rule.
Meeting HIPAA Password Requirements and Improving Security
It was mentioned above that most user-generated passwords can be cracked within minutes. That may seem an outrageous claim to some IT professionals, but a tool on the Bitwarden website will give you an idea of how long it could take a determined hacker to crack any password by brute force alone. Social engineering and phishing will likely accelerate the speed at which the hacker succeeds.
Randomized passwords containing alpha-numerical and special characters take a longer to crack but they are still crackable. They are also much harder for users to remember. In order to meet an organization’s password requirements for complexity, employees often write their passwords down or store them electronically on a different device, such as an unsecured smartphone.
Accessing password-protected accounts from secondary devices further increases the risk of a data breach. Secondary devices often lack appropriate security protections and can contain malware that logs keystrokes and captures passwords as they are entered. Covered entities must either introduce policies to limit the devices that can be used to access password-protected accounts or find an alternative to the HIPAA password requirements. Passwords are just one element of HIPAA security requirements – a more comprehensive HIPAA security guide is available here.
One of the ways to improve password security and stop employees from engaging in insecure practices such as writing passwords down is to use a password management tool. Password managers such as Bitwarden allow employees to generate highly complex passwords that are extremely difficult for hackers to crack and to create a unique password for all accounts.
Generated passwords are stored in an encrypted password vault, which can be accessed from multiple devices via a web or mobile app when a master password is entered. Provided a very strong master password is created for the vault – a passphrase of 16 characters is ideal – these solutions are secure and ideal for improving password security in healthcare.
HIPAA Password Requirements FAQs
What are the HIPAA password change requirements?
The HIPAA password change requirements are that covered entities and business associates must implement procedures for creating, changing, and safeguarding passwords (§164.308). However, this standard was published prior to the National Institute of Standards and Technology (NIST) changing its recommendations for password best practices and has not yet been updated.
NIST noted that, when organizations enforced HIPAA password expiration requirements, users would make minimal changes to passwords so they were easy to remember (i.e., “pass2022” to “pass2023”). If the previous password had been compromised, NIST said there was a strong likelihood the new password would be as well. The current guidance is that passwords should only be changed when there is evidence of compromise.
Are there HIPAA account lockout requirements?
The HIPAA account lockout requirements appear under the technical safeguards of the HIPAA Security Rule (§164.312). The requirement is an addressable implementation specification that states covered entities and business associates should “implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” The purpose of this specification is to prevent the unauthorized disclosure of ePHI when a workstation or device is left unattended.
The specification does not stipulate how long a period of inactivity should pass before an electronic session is terminated, but most security experts recommend no longer than two minutes of inactivity for systems containing ePHI and twenty minutes for other systems. The HIPAA account lockout requirements mean users will have to log in again when returning to their workstations, but this should be a quick and secure process if a password manager is being used to store login credentials.
Does HIPAA require 2FA?
HIPAA does not require 2FA (Two Factor Authentication). However, if a covered entity or business associate conducts a risk assessment and identifies vulnerabilities that could be addressed with 2FA, it then becomes a “reasonable and appropriate” security measure that should be implemented to comply with Security Standards relating to Workforce Security and Information Access Management (§164.308(A)(3) and §164.308(A)(4)).
Is It okay to use the same password for multiple different applications, provided the password is complex enough?
It is not okay to use the same password for multiple different applications provided the password is complex enough because if one application gets hacked, they all get hacked. Although there are circumstances in which workforce members can share passwords for certain applications (i.e., a marketing team might share the password for a corporate social media account), re-using passwords is a poor security practice – especially when applications collect, store, process, or transmit ePHI.
Where is the best place to find HIPAA-compliant password guidelines?
The best place to find HIPAA-compliant password guidelines is NIST Special Publication 800-63B – “Digital Identity Guidelines”. Although not published specifically for HIPAA covered entities and business associates, the Guidelines cover everything from password best practices to identifying threats and concludes with an appendix discussing the merits of password length vs. password complexity.
What is the purpose of the HIPAA password requirements?
The purpose of the HIPAA password requirements is to ensure that covered entities and business associates verify user identities and track user activities adequately to protect electronic protected health information (ePHI). The failure to implement and monitor compliance with the HIPAA password requirements can result in significant penalties if a user is found to have disclosed PHI impermissibly by using another user’s login credentials.
How does HIPAA suggest users can verify their identity?
HIPAA suggests users can verify their identity in one of three ways – something only known to the user (like a password or PIN), something the user possesses (like a smart card or key), or something unique to the user (like a fingerprint or facial image). Users can use any of these methods to access individual accounts or to verify their identity for a Single Sign On service, provided the SSO service has account logoff capabilities enabled.
Are there explicit HIPAA password requirements?
There are no explicit HIPAA password requirements. However, although the Administrative Safeguards of the Security Rule only mentions password use and management in general terms, it is indicated that, if a username-password combination is used, organizations should implement procedures for monitoring login attempts and for creating, changing, and safeguarding passwords.
In what circumstances do the HIPAA password requirements apply?
The HIPAA password requirements apply when covered entities and business associates cannot verify user identities or track user activities by any other means than a username and password combination. Although the requirements only apply to systems collecting, receiving, maintaining, or transmitting ePHI, it is a best practice to apply the requirements to all internal systems.
What is the general consensus among experts about HIPAA compliant password policies?
The general consensus among experts about HIPAA compliant password policies is that length is more important than complexity, provided the password contains and mixture of upper case letters, lower case letters, numbers, and special characters, and it does include dictionary words nor sequential numbers or characters. To help remember long passwords, all experts recommend the use of a password manager.
How can two-factor authentication improve account security?
Two-factor authentication can improve account security because it requires a second form of user verification beyond just a username and password. This makes unauthorized access more difficult even if login credentials are compromised. Most commonly, a one-time code or PIN is sent to a user’s mobile device, but other types of 2FA include USB-based key generators, RSI key fobs, smart cards, and biometric identification.
