Securing user passwords: HIPAA vs. HITRUST CSF requirements

A strong password policy keeps user data safe, and meets the requirements crucial to compliance with HIPAA, and HITRUST CSF certification. Read on to find out what these password requirements are, and how you can achieve them with password solutions from Specops Software.


Before diving into developing the best password policy for your users, we should note the difference between HIPAA and HITRUST.

While HIPAA is an act that outlines protection and security standards for healthcare data, HITRUST is an organization that uses a CSF or Common Security Framework to help organizations achieve the compliance standards outlined by HIPAA.

One of the major precedents established by HIPAA includes the security rule that establishes national standards to “protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity.” These technical safeguards ensure the confidentiality and security of ePHI.

The framework developed by HITRUST coordinates HIPAA security rule standards with other data industry organizations including PCI, ICO, and NIST. If you are a company that is HITRUST CSF-certified then you will also be compliant in the eyes of the organizations that maintain these regulations.

Since it is difficult to keep up with the constantly shifting HIPAA guidelines, working with a group that is HITRUST CSF certified can help you maintain compliance without sacrificing productivity.

Creating password policies for your users that conform to HIPAA regulations, as well as HITRUST CSF requirements, is something that will greatly increase the security of applications for users in respect to ePHI data.

Key components for managing passwords

Password security management should be defined by two key components: organizational requirements as well as individual password authentication. These factors have never been more important to the healthcare security ecosystem thanks to the constant flow of data between patient and provider devices.

HIPAA Password Compliance and Authentication

The HIPAA Security Rule states that covered entities must have a comprehensive policy and procedure for creating, storing, and changing passwords.

HIPAA also recommends multi-factor authentication if using a new device, or accessing data from a new location. This reduces the risks of a phishing attack. If an employee responds to a phishing email, the hackers will need a specific pin code in order to gain access to the system. This is where two-factor authentication plays a role, and comes in handy for protection.

HITRUST Alliance Password Requirements

A HITRUST CSF-certified password management system should include:

  1. Password encryption
  2. Passwords stored separately from the application’s system data
  3. Enforced choice of strong passwords and passphrases
  4. Enforced password changes*

*A caveat from NIST is that passwords should not be changed at regular intervals, but rather when a password change is necessary. If a hacking attempt or compromise has occurred, alerting your users of the compromise, and forcing a password change is crucial.

HITRUST CSF requirements include blocking passwords that are repetitive, disallowing passwords with incremental numbers or letters, and banning leaked passwords from previous data breaches. Additional requirements that customers have been inquiring about include securing password resets with user verification, whether at the IT service desk, or via self-service. 

Secure compliance

Specops can help you achieve HITRUST CSF password compliance with the following solutions:

  • Specops Password Policy can target any GPO level, group, user, or computer with password complexity, dictionaries and passphrase settings. The Breached Password Protection feature even allows you to block more than 4 billion previously leaked passwords – helping your organization stay one-step ahead of hackers.
  • Specops Secure Service Desk enforces user verification at the IT service desk by allowing agents to verify callers with one-time codes associated with their registered device. By verifying the identity of callers prior to a password reset, or account lockout, you can prevent social engineering attacks targeted at the IT service desk.
  • Specops uReset allows users to reset or change their own passwords or unlock their own accounts in a secure manner through the use of multi-factor authentication. The solution not only produces cost-savings but also maximizes security related to password resets.

(Last updated on October 30, 2023)

rikin shah writer

Written by

Rikin Shah

Rikin is a content writer specializing in many facets of B2B technology including healthcare, cybersecurity, and cloud-native applications.

Back to Blog