Share this article on:
According to the Administrative Guidelines of the HIPAA Security Rule, Covered Entities and Business Associates must create procedures for “creating, changing, and safeguarding passwords” (45 CFR § 164.308). The inclusion of the word “changing” implies passwords only have a certain shelf life. But is that really the case? And, if so, what are the HIPAA password expiration requirements?
The concept of HIPAA password expiration requirements goes back to the early 2000s when, within a short time of each other, the Department of Health and Human Services (HHS) issued the HIPAA Final Security Rule (2003) and the National Institute of Standards and Technology (NIST) issued “Special Publication 800-63” (2004), which included a section on password best practices.
At the time “Special Publication 800-63 Appendix A” was issued, Covered Entities were preparing to meet the compliance requirements of the Security Rule by the 2006 deadline. However, the language of the Security Rule is deliberately vague to cover as many different types of Covered Entity as possible, open to interpretation, and technology neutral.
Consequently, when it came to interpreting the Administrative Guidelines of the Security Rule relating to HIPAA Password expiration requirements, many Covered Entities referred to NIST´s password best practices, which – in 2004 – recommended passwords were changed regularly at least every 90 days. The best practice was widely adopted; and, in many cases, baked into the mindsets of IT security professionals.
ONC Guide Cements Perception of HIPAA Password Expiration Requirements
In 2010, the Office of the National Coordinator for Health Information Technology (ONC) – a branch of HHS – released a guide to cybersecurity for small healthcare environments (PDF) which included a checklist for protecting EHRs against unauthorized access. Among many useful best practices for protecting EHRs, the guide suggests “systems should be configured so that passwords must be changed on a regular basis”.
While the guide itself does not stipulate what “a regular basis” is, under the password checklist in the appendix, it is stated “[passwords] should be changed frequently, at least quarterly” which aligns with the NIST recommendations at the time. The guide has never been revised to reflect subsequent changed password security best practices and it is still used as a source for some HIPAA training courses – cementing the perception of HIPAA password expiration requirements.
NIST Changes its Recommendations
In 2017, NIST issued “Special Publication 800-63b” which radically revised the original password best practices recommended in Appendix A. In the context of HIPAA password expiration requirements, NIST completely reversed its 90 day recommendation for changing passwords and stated password policies should not require employees to change memorized secrets (passwords) on a regular basis.
Explaining the rationale behind the decision, NIST said: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password” (i.e., passwordfor2020 to passwordfor2021).
NIST claimed that the practice of changing a password to a similar password provided employees (and, in many cases, the Covered Entities they worked for) with a false sense of security. If, NIST explained, a previous password had been compromised by a hacker, the hacker could apply a common transformation such as changing a number in the password to easily compromise the new password.
When Passwords Should be Changed
It is not wrong to change passwords every ninety days or less – provided new passwords are strong, unique, and distinctive from previous passwords. Furthermore, although there were never any HIPAA password expiration requirements Covered Entities and Business Associates had to comply with, it is possible that a risk analysis found good reasons to change passwords on a frequent basis.
However, although there is no regulatory requirement to change passwords periodically, there are some occasions when passwords should be changed as a best practice:
- When weak or reused passwords are identified and need to be replaced with strong, unique passwords.
- When there is evidence to suggest a password has been compromised – for example, if it appears on a data breach list.
- When employees who have access to a shared password leave or work on remote systems which do not log shared password usage.
Note: sharing passwords to systems containing ePHI is a breach of HIPAA because, under the Technical Safeguards of the HIPAA Security Rule (45 CFR § 164.312), Covered Entities are required to “implement procedures to verify that a person or entity seeking access to ePHI is the one claimed”. Without each user being assigned unique login credentials, it would be impossible for a Covered Entity to comply with this clause. However, there may be some scenarios (i.e., marketing, legal, finance, etc.) in which there is a legitimate case for sharing passwords.
How Passwords Should be Changed
With potentially tens of thousands of passwords in use within a healthcare facility it is impossible to manually identify which passwords are weak, which have been compromised, or which are being shared to access ePHI in violation of HIPAA. The way to overcome this issue is with a password manager with health check capabilities that can flag, weak, compromised, shared, or reused passwords so threats to data security can be addressed.
With regards to changing legitimately shared passwords when an employee leaves or works remotely, many password managers now have the capability to replace group passwords with the click of a mouse and work across multiple platforms so shared password usage can be logged. Therefore, although it is not a requirement of HIPAA to set password expiration dates, a fully-featured password manager can help Covered Entities comply with other areas of HIPAA legislation.