Although the text of HIPAA contains only one reference to passwords, there are several other areas of the Act in which it is inferred HIPAA password requirements exist.
For example, under the Technical Safeguards of the Security Rule (45 CFR § 164.312), covered entities are required to implement technical procedures for systems that maintain ePHI “to grant access to only those people who have been granted access rights” and “assign a unique name and/or number for identifying tracking user identity to verify that a person or entity seeking access to ePHI is the one claimed”.
With regards to the single reference to passwords, this appears in the Administrative Safeguards of the Security Rule in the section covering Security Awareness and Training (45 CFR § 164.308(a)(5)). Under this section, covered entities are instructed to implement “procedures for creating, changing and safeguarding passwords.”
To comply with the HIPAA password requirements in the Technical Safeguards of the Security Rule, Covered Entities must ensure that passwords are used to secure accounts, unless an alternative to passwords is implemented that provides an equivalent level of protection.
To comply with the requirement for “procedures for creating, changing and safeguarding passwords” – HIPAA covered entities should follow industry best practices for password creation, management, and security. Up to date best practices for passwords is detailed in guidance released by the National Institute of Standards and Technology (NIST), which has recently been updated based on new research.
HIPAA Password Requirements and ‘Addressable’ Elements of the HIPAA Security Rule
When discussing the HIPAA password requirements, it is important to note the “procedures for creating, changing and safeguarding passwords.” are “addressable” rather than “required” implementation specifications. That does not mean passwords are not required, it just means covered entities have some flexibility meeting the requirements of the “addressable” provisions. Covered entities can “implement one or more alternative security measures to accomplish the same purpose” and be compliant.
In the context of the Administrative Safeguards, the aim of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. It is perfectly acceptable to implement a different security method, provided the level of protection to the alternative measure is equivalent or greater than passwords, and that the decision and the reasons why the decision was made not to use passwords is documented.
For instance, biometric authentication methods such as fingerprints could serve as an alternative to passwords. Since this technology is expensive and not widely available, passwords are still the most practical and cost-effective method of authentication and that is unlikely to change in the short term.
HIPAA Experts Disagree on Best HIPAA Compliant Password Policy
The purpose of a password is to prevent unauthorized access to an account, but the level of protection provided by a password can vary greatly. For instance, a password such as “password” or “123456” will provide close to zero protection whereas a passphrase of 16 characters or more is very difficult to crack, even with the automated techniques used by hackers in brute force attacks. Many organizations set password requirements for at least 8 characters and a mixture of upper and lower case letters numbers and symbols, but even these passwords may not be particularly secure.
There is disagreement about the best HIPAA compliant password policy to implement, including the format of passwords and the frequency of password changes and the best way of securing them.
While some experts argue the best HIPAA compliant password policy means changing passwords every sixty or ninety days, other experts say that this is a waste of time. A skilled hacker should be able to defeat any user-generated 8-character password in less than ten minutes using a combination of technical, sociological, or subversive tactics (i.e., social engineering).
There is more common ground between security experts when it comes to securing passwords. Passwords must never be stored in plain text and must always be encrypted. It is a recognized best practice to also salt passwords – add random data – prior to encryption to better safeguard passwords in storage and make it harder for hackers to crack encrypted passwords.
HIPAA Password Requirements and Password Managers
One area of weakness with passwords is that by making passwords difficult to crack, they are also very difficult for humans to remember. That often means individuals use tricks to get around password requirements (that hackers are aware of) or write their passwords down. One way to resolve this problem is to use password management tools.
Password managers such as Bitwarden help users create strong, unique passwords for all accounts. Passwords that are extremely complex will protect against brute force attacks, yet individuals will not have to remember these passwords or write them down. The passwords are stored securely in the user’s password vault and are encrypted, and individuals then only need to create one, strong, master password for their password vault. That can be a long passphrase that is easy to remember but difficult to guess.
Two Factor Authentication Being Implemented by Many Medical Centers
Two-factor authentication is also now a widely accepted best practice for improving password security. Two-factor authentication – often also called multi-factor authentication – requires more than one method of authentication. Another factor must be provided in addition to a password before account access is granted. This is commonly an SMS message containing a PIN that is sent to a user’s mobile phone. Without that PIN, a password alone is not sufficient to grant access to an account.
Two factor authentication has already been adopted by many medical centers and physician practices for credit card payments to adhere to the Payment Card Industry Data Security Standard (PCI DSS), and in relation to prescriptions to comply with the DEA´s Electronic Prescription for Controlled Substances Rules. However, for other systems such as email, two-factor authentication has often not been implemented.
It is true that two factor authentication can impede workflows, but advances in software mean it is no longer a major issue – for instance, by using Single Sign-On between healthcare technologies, workflows are not disrupted. While two-factor authentication technology does not replace passwords, it is recommended to document all methods used to improve password security with your HIPAA documentation to demonstrate you are following industry best practices in the event of a breach investigation or compliance audit.