The role of passwords in HIPAA compliance

Healthcare is a high value target for hackers given the nature of the data and its poor security stance – ranking the sixth lowest, in security performance across industries. Passwords are the first line of defense against cyberattacks and poorly chosen passwords can result in unauthorized access. The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect against unauthorized access.

While HIPAA Privacy Rules do not have explicit requirements on user passwords, there is a strong emphasis on the storage of and access control to electronic protected health information (ePHI). Sections 164.308(a)(5)(i) and 164.308(a)(5)(ii)(D) require that the following plan is in place when appropriate:

  • A security awareness and training program for all members of its workforce
  • Procedures for creating, changing, and safeguarding passwords

HIPAA may be ambiguous but healthcare organizations are subject to the full extent of its rules. The burden falls on healthcare IT to figure out how to put these into practice.

HIPAA and passwords

Here are our recommendations on how to improve password security to follow HIPAA Privacy Rules:

Password creation

  • Block dictionary passwords. As long as users continue using common passwords, dictionary attacks will continue to work. It is important to block common passwords, passwords specific to your organizations and known leaked passwords. A password deny list stops a user from choosing a compromised password.
  • Enable passphrases. The length of the password is the most effective defense against a brute-force attack. A passphrase is a sentence or phrase, with or without spaces, typically more than 20 characters longer. The words making up the passphrases should be meaningless together to make them less susceptible to social engineering.
  • Skip password complexity. If you have implemented the above, you can relax complexity requirements.

Changing passwords

  • Password expiration. While HIPAA does not specify password expiration, NIST, NCSC and Microsoft are now advising against forcing regular password expiration without reason. The only time password expiration can minimize attacks is when hackers gain access to your network through compromised passwords – a password reset can limit the use of these passwords. If you are enforcing strong passwords and enabling multi-factor authentication, you have little to gain from password expiration. If you haven’t implemented these safety nets, continue to use password expiration as a way to check passwords against dictionary lists when a new major leak occurs.
  • Password reset. If employees are engaging in high-risk behaviors such sharing passwords, posting passwords on workstations or if you suspect that a password has been compromised, force a password change immediately.

Safeguarding passwords

  • Educate users and healthcare staff. Make sure everyone that comes in contact with PHI learns good password hygiene such as changing default passwords immediately after being assigned a new application, not sharing passwords with anyone, not reusing passwords between different systems and changing passwords whenever compromised.

How can Specops Password Policy facilitate HIPAA compliance?

Specops Password Policy helps organizations meet HIPAA requirements by allowing IT departments to create rich password policies that enhance password security in Active Directory and enforce those rules beyond Active Directory. You can create any password rule while using important features such as blocking compromised passwords or requiring the use of passphrases rather than passwords.

(Last updated on April 4, 2022)

Tags: , , ,

Back to Blog

Related Articles

  • Will you pass a HIPAA audit?

    One of the most valuable types of data is online healthcare patient data. Multiple Health Insurance Portability and Accountability Act (HIPAA) breaches in the past showed that fraudsters obtained the records and filed false claims with insurers or bought drugs that were later resold using fake IDs. It is said that personal medical information is…

    Read More
  • 3 steps to take after a security breach

    For a long time now, Specops has been advising organizations on how to protect their network and data against common security threats. We’ve managed to cover everything from sophisticated social engineering tactics, to the simple phishing email. Along the way, we’ve repeated the importance of a strong password/passphrase, or better yet, additional layers via multi-factor…

    Read More