How do I create HITRUST compliant password policies?
(Last updated on January 22, 2019)
HITRUST Alliance is a non-profit organization that champions various initiatives aimed at safeguarding sensitive information and managing information risk for organizations. Together with others in the information security sector, they have developed the HITRUST Common Security Framework (CSF), which clarifies guidelines on security standards for the healthcare industry. HITRUST CSF solidifies the broader regulations of HIPAA, ISO, NIST, PCI-DSS, GDPR, and many other governing rules into an overarching framework to keep you in line with all those standards.
A strong organizational policy surrounding passwords is a great way to ensure compliance with the HITRUST CSF standards. While the HIPAA guidelines may be ambiguous, HITRUST CSF provides specific feature recommendations where the password management system is concerned. Per the HITRUST CSF, your organization should have a password management system that can:
- Store and transmit passwords in protected (e.g. encrypted or hashed) form. Storing and transmitting passwords in plaintext leaves them extremely vulnerable should there ever be an attack. Hashing or encrypting them with various algorithms can slow down an attacker.
- Store password files separately from application system data. This is really just common sense; you would not keep the key for a lock right next to the lock. The same applies to the password files and system data for the application that they grant access to – you do not want to keep the user’s keys for those systems in the same place you keep the system data.
- Enforce a choice of quality passwords. A strong password is the best defense against dictionary attacks, brute force attacks and password spraying. A passphrase can help stave off hacking attempts as password cracking tools usually become ineffective when they need to decipher past 10 characters.
- Enforce password changes. HITRUST CSF states that passwords be set to expire every 90 days, while privileged accounts be set to expire every 60 days. However, NIST recommends against setting regular intervals for expiring passwords, but forcing password changes when there is evidence that a user’s credentials have been compromised. It will all come down to which rules and regulations most directly apply for your company, so be sure to do some research before deciding on your password change policy.
- Maintain a record of previous user passwords and prevent re-use. Allowing users to recycle previous passwords, or modify them with incremental numbers (e.g., password1, password2, password3) defeats the purpose of enforcing a password change. The right password management tool can allow you to block previously used passwords, passwords with incremental numbers, and passwords that have been uncovered in a data breach.
Trying to comply with various industry regulations can be overwhelming, especially if those regulations are not very clear. Specops Password Policy helps you achieve HITRUST password compliance by increasing your password security. The tool extends the functionality of Group Policy and simplifies the management of fine-grained password policies. Specops Password Policy can target any GPO level, group, user, or computer with password complexity, dictionaries and passphrase settings. The Blacklist feature even allows you to block more than 1 billion previously leaked passwords – helping your organization stay one-step ahead of hackers. Download our whitepaper to see how Specops Password Policy aligns with various compliance recommendations including the latest NIST recommendations.
Healthcare is a high value target for hackers given the nature of the data and its poor security stance – ranking the sixth lowest, in security performance across industries. Passwords are the first line of defense against cyberattacks and poorly chosen passwords can result in unauthorized access. The Health Insurance Portability and Accountability Act (HIPAA)…Read More
For a long time now, Specops has been advising organizations on how to protect their network and data against common security threats. We’ve managed to cover everything from sophisticated social engineering tactics, to the simple phishing email, and most recently, best practices for safeguarding Active Directory against common attacks. Along the way, we’ve repeated the…Read More
Following a data breach incident, organizations following compliance standards, such as HIPAA, need to follow certain data breach notification requirements. This post will summarize some of these requirements, as well as regional-specific disclosure responsibilities. For the purposes of this post, a data breach, is an incident “where personal data has been subject to unauthorised access,…Read More