HIPAA compliant password manager

Compliance with industry regulations are extremely important to IT priorities, and cybersecurity. One of the more prominent standards for safeguarding personal data is the Health Insurance Portability and Accountability Act (HIPAA) which provides guidelines for organizations dealing with protected health information (PHI). For sysadmins, compliance with HIPAA requires visibility and technical controls to protect electronic personal health information (ePHI). Naturally, this includes password security in the environment.  

To simplify password management for users, and improve password security, businesses are increasingly turning to enterprise password managers. But, are password managers compliant with HIPAA?  

HIPAA guidance for enterprise password managers  

While password managers can protect logins for systems that store protected health information (PHI), they do not store PHI themselves. This means that they cannot be classified as HIPAA compliant, though many may find their use to be a common sense protection for accounts with access to ePHI.  

Password managers help ensure end-users choose and use stronger passwords for any third-party services that may be part of the business. But they aren’t necessarily enough to satisfy HIPAA requirements and bolster security. In addition to securing the password manager configuration with two-factor authentication and a strong master passwords, other practices, policies, and tools need to be used to enforce strong passwords across the board.  

HIPPA and compliance

While HIPAA Privacy Rules do not have explicit requirements on user passwords, there is a strong emphasis on the storage of and access control to electronic protected health information (ePHI). Sections 164.308(a)(5)(i) and 164.308(a)(5)(ii)(D) require that the following plan is in place when appropriate:

  • A security awareness and training program for all members of its workforce
  • Procedures for creating, changing, and safeguarding passwords

HIPAA may be ambiguous but healthcare organizations are subject to the full extent of its rules. The burden falls on healthcare IT to figure out how to put these into practice.

Learn more about our recommendations for implementing passwords safeguards to facilitate HIPPA compliance.

The most important password – Microsoft Active Directory (AD) 

While password managers are designed to allow for quickly populating passwords in third-party services and other solutions that are accessible on the web, this doesn’t solve the issue of enterprise passwords contained in AD. Often, organizations may find themselves integrating AD with their enterprise password manager, utilizing the AD password as the login for employee password vaults.  

While HIPAA does not list specifics in regards to password requirements, organizations can use standard cybersecurity best practices released by other federal entities such as the National Institute of Standards and Technology (NIST). NIST provides a framework of cybersecurity best practices, including recommendations regarding password requirements.  

Native AD password safeguards are not enough 

Legacy AD Password Policy configuration is no longer enough to meet the cybersecurity requirements for passwords today. While AD can integrate password filter .dll’s, the process to do this and maintain a custom filter .dll is not intuitive and requires developer interaction. Also, there is no native functionality to implement the NIST guidance for breached password checks in AD.  

Specops Password Policy allows businesses today to quickly meet and exceed HIPAA requirements and other compliance frameworks. With Specops Password Policy, you can configure controls not possible native AD Password Policy functionality.  

Specops also allows organizations to implement Breached Password Protection, and continuously check passwords against compromise.   

breached password protection screen
Specops Breached Password Protection

Specops Password Policy allows organizations to: 

  • Protect the AD password used to log in to enterprise password managers 
  • Find leaked passwords already in use in the environment 
  • Create custom dictionary lists 
  • + much more 

Using an enterprise password manager is an important security step in a compliance-minded organization. When the AD password is used to login to a password manager, protecting that password becomes even more important. Unfortunately, this is where a lot of enterprise password managers fall short. Specops Password Policy can complete your enterprise password protection approach by securing the most important password. 

Learn more about Specops Password Policy and download a free, fully-featured trial version.  

(Last updated on January 19, 2023)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog