HIPAA compliant password manager
Compliance with industry regulations are extremely important to IT priorities, and cybersecurity. One of the more prominent standards for safeguarding personal data is the Health Insurance Portability and Accountability Act (HIPAA) which provides guidelines for organizations dealing with protected health information (PHI). For sysadmins, compliance with HIPAA requires visibility and technical controls to protect electronic personal health information (ePHI). Naturally, this includes password security in the environment.
To simplify password management for users, and improve password security, businesses are increasingly turning to enterprise password managers. But, are password managers compliant with HIPAA?
HIPAA guidance for enterprise password managers
While password managers can protect logins for systems that store protected health information (PHI), they do not store PHI themselves. This means that they cannot be classified as HIPAA compliant, though many may find their use to be a common sense protection for accounts with access to ePHI.
Password managers help ensure end-users choose and use stronger passwords for any third-party services that may be part of the business. But they aren’t necessarily enough to satisfy HIPAA requirements and bolster security. In addition to securing the password manager configuration with two-factor authentication and a strong master passwords, other practices, policies, and tools need to be used to enforce strong passwords across the board.
HIPPA and compliance
While HIPAA Privacy Rules do not have explicit requirements on user passwords, there is a strong emphasis on the storage of and access control to electronic protected health information (ePHI). Sections 164.308(a)(5)(i) and 164.308(a)(5)(ii)(D) require that the following plan is in place when appropriate:
- A security awareness and training program for all members of its workforce
- Procedures for creating, changing, and safeguarding passwords
HIPAA may be ambiguous but healthcare organizations are subject to the full extent of its rules. The burden falls on healthcare IT to figure out how to put these into practice.
Learn more about our recommendations for implementing passwords safeguards to facilitate HIPPA compliance.
The most important password – Microsoft Active Directory (AD)
While password managers are designed to allow for quickly populating passwords in third-party services and other solutions that are accessible on the web, this doesn’t solve the issue of enterprise passwords contained in AD. Often, organizations may find themselves integrating AD with their enterprise password manager, utilizing the AD password as the login for employee password vaults.
While HIPAA does not list specifics in regards to password requirements, organizations can use standard cybersecurity best practices released by other federal entities such as the National Institute of Standards and Technology (NIST). NIST provides a framework of cybersecurity best practices, including recommendations regarding password requirements.
Native AD password safeguards are not enough
Legacy AD Password Policy configuration is no longer enough to meet the cybersecurity requirements for passwords today. While AD can integrate password filter .dll’s, the process to do this and maintain a custom filter .dll is not intuitive and requires developer interaction. Also, there is no native functionality to implement the NIST guidance for breached password checks in AD.
Specops Password Policy allows businesses today to quickly meet and exceed HIPAA requirements and other compliance frameworks. With Specops Password Policy, you can configure controls not possible native AD Password Policy functionality.
Specops also allows organizations to implement Breached Password Protection, and continuously check passwords against compromise.
Specops Password Policy allows organizations to:
- Protect the AD password used to log in to enterprise password managers
- Find leaked passwords already in use in the environment
- Create custom dictionary lists
- + much more
Using an enterprise password manager is an important security step in a compliance-minded organization. When the AD password is used to login to a password manager, protecting that password becomes even more important. Unfortunately, this is where a lot of enterprise password managers fall short. Specops Password Policy can complete your enterprise password protection approach by securing the most important password.
(Last updated on January 19, 2023)