HIPAA password requirements: Best practices for compliance

The digital transformation of healthcare has brought plenty of benefits, but it’s also introduced new challenges in protecting patient information. The Health Insurance Portability and Accountability Act (HIPAA) plays a critical role in ensuring that medical data remains secure. One of the most fundamental aspects of this security is HIPAA password requirements and password management. If you’re looking for a more general overview of HIPAA, check out our guide to navigating HIPAA cybersecurity requirements here. 

This blog will focus in on passwords; one of the most readily exploited attack routes favored by cybercriminals. We’ll walk through the best practices for creating and maintaining strong passwords, the benefits of multi-factor authentication, and how to ensure your password policies are fully compliant with HIPAA regulations. 

Whether you’re a healthcare provider, a business associate, or just curious about healthcare cybersecurity, this guide will equip you with the essential knowledge to safeguard sensitive patient data. 

HIPPA rules and guidance on passwords  

HIPAA’s Administrative and Technical Safeguards outline best practices, processes, and procedures to ensure electronic personal health information ePHI data is secure. They also explicitly address credentials and password security as part of the recommendations. 

Administrative safeguards 

In the administrative safeguards, there are a number of sections that deal directly with passwords: Security Awareness and Training (Log-in Monitoring, and Password Management), and Security Incident Procedures (Response and Reporting): 

• As part of Log-in Monitoring, healthcare organizations should capture unsuccessful log-in attempts. Enforcing lockouts, or prompting the end-user to reset their password after multiple failed attempts, can make the workforce aware of inappropriate log-in attempts 
• Password Management enables users to take the appropriate precautions to secure passwords. This can include training on how to create secure passwords, and how to successfully remember them 
• Response and Reporting outlines common security incidents, and recommends the necessary policies and procedures to address them. Stolen passwords are listed as a possible security incident. 

Technical safeguards 

The HIPAA Technical safeguards outlines additional password recommendations in the following sections: Access Control (Automatic Logoff), and Person or Entity Authentication. 

• To prevent unauthorized access, enforce Automatic Logoff by requiring a password after a period of system inactivity 
• The Person or Entity Authentication standard has no implementation specification. It simply requires the use of a secret that is known only to the user (a password), and encourages additional authentication methods such as two-factor authentication for added security 
• There are also certain healthcare encryption standards that organizations are encouraged to follow 

How do I tell if my organization meets HIPAA password security standards? 

The above guidance requires sysadmins to have visibility and technical controls for password security in the environment. Many healthcare organizations use Microsoft Active Directory for identity and access management. Active Directory is a robust platform. However, it has limited built-in capabilities in terms of password security. 

So, how can sysadmins have visibility to weak, dangerous, and even breached passwords in their Active Directory environment? The easiest thing to do is run an audit of your Active Directory.  Specops Password Auditor is a read-only tool that scans your Active Directory and generates an interactive report. The report will detail any password-related vulnerabilities found and even let you know if your policy complies with HIPAA. Download for free here.  

Practical tips for HIPAA password compliance 

While HIPAA does not list specifics in regards to password requirements, organizations can use standard cybersecurity best practices released by other federal entities such as the National Institute of Standards and Technology (NIST). NIST provides a framework of cybersecurity best practices, including recommendations regarding NIST password requirements.  We’ll run through some common-sense controls to put in place in this section.  

Password creation 

• Block weak passwords. If end users are allowed to choose weak and easily-guessable passwords, they’ll be vulnerable to brute-force techniques and dictionary attacks. It’s also important to block passwords specific to your own organization and the healthcare industry by creating a custom dictionary of blocked passwords. 
• Encourage passphrases. The length of the password is the most effective defense against a brute-force attack. A passphrase is usually three random words, typically creating a 20-character or longer phrase. These phrases are far easier for end users to remember than a string of random characters. You can find a full guide on rolling out passphrases to your users here.  

Changing passwords 

• Password expiration. While HIPAA does not specify password expiration, NIST, NCSC and Microsoft are now advising against forcing regular password expiration without reason. The only time password expiration can minimize attacks is when hackers gain access to your network through compromised passwords. So while expiration can help reset a compromised password, it’s more important to be able to continuously check your Active Directory for breached passwords.  
• Password resets. If you allow end users to reset their own passwords, it’s important have a solution in place that verifies them through multi-factor authentication.  

Safeguarding passwords 

• Educate users and healthcare staff. Make sure everyone that comes in contact with ePHI learns good password hygiene such as changing default passwords immediately after being assigned a new application, not reusing passwords between different systems, and not sharing passwords with anyone. You can find a full guide on how to prevent password sharing in a healthcare setting here. 

What does HIPAA say about enterprise password managers? 

To simplify password management for users, and improve password security, businesses are increasingly turning to enterprise password managers. But are password managers compliant with HIPAA?  While password managers can protect logins for systems that store ePHI, they do not store ePHI themselves. This means that they cannot be classified as HIPAA compliant, though many may find their use to be a common sense protection for accounts with access to ePHI.   

Password managers help ensure end-users choose and use stronger passwords for any third-party services that may be part of the business. But they aren’t necessarily enough to satisfy HIPAA requirements and bolster security. In addition to securing the password manager configuration with two-factor authentication and a strong master passwords, other practices, policies, and tools need to be used to enforce strong passwords across the board.   

Get HIPAA compliant with Specops Password Policy  

Specops Password Policy lets you greatly reduce your organization’s attack surface through a simple interface that easily integrates with Active Directory. Admins can block end users from creating weak passwords and continuously scan for passwords that have become compromised through data breaches or password reuse. Try Specops Password Policy for free.