The role of passwords in HIPAA compliance
(Last updated on October 7, 2020)
Healthcare is a high value target for hackers given the nature of the data and its poor security stance – ranking the sixth lowest, in security performance across industries. Passwords are the first line of defense against cyberattacks and poorly chosen passwords can result in unauthorized access. The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect against unauthorized access.
While HIPAA Privacy Rules do not have explicit requirements on user passwords, there is a strong emphasis on the storage of and access control to electronic protected health information (ePHI). Sections 164.308(a)(5)(i) and 164.308(a)(5)(ii)(D) require that the following plan is in place when appropriate:
- A security awareness and training program for all members of its workforce
- Procedures for creating, changing, and safeguarding passwords
HIPAA may be ambiguous but healthcare organizations are subject to the full extent of its rules. The burden falls on healthcare IT to figure out how to put these into practice.
HIPAA and passwords
Here are our recommendations on how to improve password security to follow HIPAA Privacy Rules:
- Block dictionary passwords. As long as users continue using common passwords, dictionary attacks will continue to work. It is important to block common passwords, passwords specific to your organizations and known leaked passwords. A password deny list stops a user from choosing a compromised password.
- Enable passphrases. The length of the password is the most effective defense against a brute-force attack. A passphrase is a sentence or phrase, with or without spaces, typically more than 20 characters longer. The words making up the passphrases should be meaningless together to make them less susceptible to social engineering.
- Skip password complexity. If you have implemented the above, you can relax complexity requirements.
- Password expiration. While HIPAA does not specify password expiration, NIST, NCSC and Microsoft are now advising against forcing regular password expiration without reason. The only time password expiration can minimize attacks is when hackers gain access to your network through compromised passwords – a password reset can limit the use of these passwords. If you are enforcing strong passwords and enabling multi-factor authentication, you have little to gain from password expiration. If you haven’t implemented these safety nets, continue to use password expiration as a way to check passwords against dictionary lists when a new major leak occurs.
- Password reset. If employees are engaging in high-risk behaviors such sharing passwords, posting passwords on workstations or if you suspect that a password has been compromised, force a password change immediately.
- Educate users and healthcare staff. Make sure everyone that comes in contact with PHI learns good password hygiene such as changing default passwords immediately after being assigned a new application, not sharing passwords with anyone, not reusing passwords between different systems and changing passwords whenever compromised.
How can Specops Password Policy facilitate HIPAA compliance?
Specops Password Policy helps organizations meet HIPAA requirements by allowing IT departments to create rich password policies that enhance password security in Active Directory and enforce those rules beyond Active Directory. You can create any password rule while using important features such as blocking compromised passwords or requiring the use of passphrases rather than passwords.