5 Password Best Practices for HIPAA Covered Entities

Although the HIPAA Security Rule is technology neutral and avoids stipulating specific measures for complying with the Administrative, Technical, and Physical Safeguards, there are several clues in the content of the Security Rule about what is expected of Covered Entities with regards to HIPAA password best practices.

For example, the Technical Safeguards (45 CFR § 164.312) state Covered Entities are required to implement procedures for systems that maintain ePHI “to grant access to only those people who have been granted access rights” and to “verify that a person or entity seeking access to ePHI is the one claimed” by “assign[ing] a unique name and/or number for identifying and tracking user activity”.

So, it is clear unique passwords are necessary and that sharing passwords to systems that maintain ePHI is a breach of HIPAA. However, if Covered Entities are to “grant access to only those people who have been granted access rights” and “verify a person seeking access to ePHI is the one claimed”, using weak, transformed, and previously exposed passwords won´t prevent third parties accessing ePHI without authorization.

According to Verizon´s 2020 Data Breach Investigations Report, more than 80% of data breaches attributable to hacking can be traced back to successful brute force attacks against weak, transformed, and previously exposed passwords and the theft of log-in credentials via phishing emails. Therefore, to prevent third parties accessing ePHI without authorization, we suggest the following 5 password best practices for HIPAA Covered Entities.

Apply Minimum Requirements

Most IT professionals are familiar with the best practice of applying minimum requirements to passwords such as:

  • The minimum password length,
  • The minimum number of upper-case characters,
  • The minimum number of numeric characters, and
  • The minimum number of special characters.

However, current security thinking is that length trumps complexity and that passphrases are stronger than passwords. This is because it is harder to crack long passphrases than shorter passwords, and you can check this theory by visiting Bitwarden.com and taking advantage of the free Password Strength Testing Tool.

The best practice of using passphrases still has to be applied with care. It won´t take long for a hacker to crack a passphrase such as “PassphraseForEHR”, and although the phrase can be harder to crack by including special characters and spaces (i.e., “Pa$$phra$e For EHR”), it is better to use three or four unassociated words of four letters or longer – such as “mouse bottle black window”.

Avoid Periodic Password Changes

Shortly after the Security Rule was enacted in 2003, the National Institute of Standards and Technology (NIST) issued “Special Publication 800-63”, which recommended passwords were changed at least every ninety days. This recommendation was withdrawn in 2017, but by then it had become hard-baked into IT security culture.

The reason for the recommendation being withdrawn was that users were transforming passwords, rather than changing them, so they were easier to remember. NIST found users might transform an old password by just one number to make it different from before, but still easy to remember – for example transforming “passwordfor2020” to “passwordfor2021”.

The problem with this is that if the old password has been cracked by a brute force attack, it won´t take long for the new password to also be cracked. NIST now recommends passwords should only be changed when a weak, transformed, or exposed password is identified, when there is evidence of a password being compromised, or when an employee leaves.

Check against Password Blacklists

Password blacklists are lists of the most commonly hacked passwords and passwords that are known to have been exposed in data breaches. These passwords are the first that will be attempted in brute force attacks and cracked within seconds due to their simplicity and predictability, so their use should be avoided when creating new passwords or changing old passwords.

You can find extensive historic password blacklists against which to check new or existing passwords on the Internet. For example, a list of the 100,000 most commonly hacked passwords from 2016 is available on GitHub. However, for regularly updated blacklists that include the most recent data breaches it is advisable to adopt a password manager with password “health check” capabilities,

Implement Two-Factor Authentication

Our password best practices for HIPAA Covered Entities reduce the likelihood of brute force attacks against weak passwords being successful, but a threat still exists from phishing. While a password manager can help mitigate the threat of phishing by storing URLs and login credentials in pairs (so login credentials are not auto-filled when a user visits a phishing website), a better way to protect sensitive data is with two-factor authentication.

Two-factor authentication requires users to enter a one-time passcode in addition to their username and password when logging into a protected account. The one-time passcode is usually delivered by an SMS text or authenticator app so, again, care should be taken in how this best practice is applied. If the one-time passcode is delivered to the same device as is used to access protected accounts (i.e., a smartphone), the loss of the device would give a hacker free access to the protected account.

Use a Cross-Platform Password Manager

Most sources of password best practices conclude with recommending a password manager, but it is important not to implement any password manager. With many employees working remotely or accessing ePHI from a range of devices, password managers need to be effective across all platforms, operating systems, web browsers, and devices. Otherwise, users may not be able to access saved passwords remotely.

Other features to look for in a password manager include end-to-end encryption, access logs and audit reports, directory synchronization, and flexible integrations with other HIPAA-compliant security tools such as Single Sign-On (SSO). Depending on the outcome of a risk analysis, Covered Entities may also want to implement a password manager that can be hosted on on-premises servers, rather than in the cloud.

Password Best Practices FAQs

Who is responsible for implementing password best practices for HIPAA Covered Entities?

The HIPAA Security Officer should take charge of implementing password best practices and ensuring compliance with password policies. He or she will likely need to liaise with IT teams and HR teams to ensure appropriate training is provided to end users on why password policies are being enforced and the importance of complying with them.

Can a password manager identify existing weak, transformed, or exposed passwords?

A password manager such as Bitwarden provides a range of different health checks. Not only can the platform be used to check passwords against up-to-date password blacklists, but it can also run health checks for weak, transformed, re-used, and exposed passwords as well as looking for accounts for which two-factor authentication is available but not being used.

How does pairing URLs and login credentials mitigate the threat from phishing?

Pairing URLs and login credentials doesn´t automatically mitigate the threat from phishing; however, when a user is tricked into visiting a phishing website, the URL of the phishing website will not match that stored in the password manager and the credentials will not be auto-filled. This should alert the user that the website is not the one it is claiming to be.

Is it possible to try a password manager such as Bitwarden before committing to it?

Some password managers (for example Bitwarden) offer free enterprise trials. This gives Covered Entities the opportunity to evaluate a fully-featured platform in their own environment to compare factors such as ease-of-use, ease of deployment, and ease of administration.