HIPAA Security Rule Guidance for passwords
There are an alarming number of cyberattacks targeting the healthcare industry. In October 2020, the FBI released a security warning to hospitals and government agencies of an imminent danger of ransomware attacks. Attackers were said to be targeting healthcare providers with the Trickbot malware. Trickbot is associated with ransomware attacks, theft of data, and other criminal activities. Another common way that attackers can introduce malware in the environment is by compromising credentials.
The Health Insurance Portability and Accountability Act (HIPAA) provides a framework of cybersecurity requirements for healthcare providers, and those who interact with protected health information (PHI). The HIPAA Security Rule establishes national standards to “protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity.” The Security Rule requires Administrative, Physical, and Technical Safeguards to ensure the confidentiality and security of ePHI.
HIPAA’s Administrative and Technical Safeguards outline best practices, processes, and procedures to ensure ePHI data is secure. They also explicitly address credentials and password security as part of the recommendations.
In the Administrative Safeguards, there are a number of sections that deal directly with passwords: Security Awareness and Training (Log-in Monitoring, and Password Management), and Security Incident Procedures (Response and Reporting):
- As part of Log-in Monitoring, healthcare organizations would capture unsuccessful log-in attempts. Enforcing lockouts, or prompting the end-user to reset their password after multiple failed attempts, can make the workforce aware of inappropriate log-in attempts.
- Password Management enables users to take the appropriate precautions to secure passwords. This can include training on how to create secure passwords, and how to successfully remember them.
- Response and Reporting outlines common security incidents, and recommends the necessary policies and procedures to address them. Stolen passwords are listed as a possible security incident.
The HIPAA Technical Safeguards outlines additional password recommendations in the following sections: Access Control (Automatic Logoff), and Person or Entity Authentication.
- To prevent unauthorized access, enforce Automatic Logoff by requiring a password after a period of system inactivity .
- The Person or Entity Authentication standard has no implementation specification. It simply requires the use of a secret that is known only to the user (a password), and encourages additional authentication methods such as two-factor authentication for added security.
Meet HIPAA password security standards
The above guidance requires sysadmins to have visibility and technical controls for password security in the environment. Many healthcare organizations use Microsoft Active Directory for identity and access management. Active Directory is a robust platform. However, it has limited built-in capabilities in terms of password security.
How can sysadmins have visibility to weak, dangerous, and even breached passwords in their Active Directory environment? Specops Password Auditor (free) provides visibility in to dangerous employee passwords.
The Specops Password Auditor tool scans Active Directory and generates interactive reports containing user and password policy information contained in your environment. It allows sysadmins to audit Active Directory accounts for additional account risks such as compromised passwords obtained from data breach events.
HIPAA password security audit
Healthcare organizations must do their due diligence to protect ePHI. A key area of importance is protecting credentials and passwords in the environment. Compromised accounts are often the culprit in data breach events. Specops Password Auditor allows sysadmins to have visibility to weak, vulnerable, and even breached passwords in the environment.
Learn more about Specops Password Auditor and download a free copy here.
(Last updated on April 19, 2021)