Although the text of HIPAA contains only one reference to passwords, there are several other areas of the Act in which it is inferred HIPAA password requirements exist.
For example, under the Technical Safeguards of the Security Rule (45 CFR § 164.312), covered entities are required to implement technical procedures for systems that maintain ePHI “to grant access to only those people who have been granted access rights” and “assign a unique name and/or number for identifying tracking user identity to verify that a person or entity seeking access to ePHI is the one claimed”.
With regards to the single reference to passwords, this appears in the Administrative Safeguards of the Security Rule in the section covering Security Awareness and Training (45 CFR § 164.308(a)(5)). Under this section, covered entities are instructed to implement “procedures for creating, changing and safeguarding passwords.”
To comply with the HIPAA password requirements in the Technical Safeguards of the Security Rule, Covered Entities must ensure that passwords are used to secure accounts, unless an alternative to passwords is implemented that provides an equivalent level of protection.
To comply with the requirement for “procedures for creating, changing and safeguarding passwords” – HIPAA covered entities should follow industry best practices for password creation, management, and security. Up to date best practices for passwords is detailed in guidance released by the National Institute of Standards and Technology (NIST).
HIPAA Password Requirements and ‘Addressable’ Elements of the HIPAA Security Rule
When discussing the HIPAA password requirements, it is important to note the “procedures for creating, changing and safeguarding passwords.” are “addressable” rather than “required” implementation specifications. This does not mean the implementation specification can be bypassed. It means covered entities have some flexibility meeting the requirements of the “addressable” provisions. Covered entities can “implement one or more alternative security measures to accomplish the same purpose” and be compliant.
In the context of the Administrative Safeguards, the aim of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. It is perfectly acceptable to implement a different security method, provided the level of protection to the alternative measure is equivalent or greater than passwords, and that the decision and the reasons why the decision was made not to use passwords is documented.
For instance, biometric authentication methods such as fingerprints could serve as an alternative to passwords. Since this technology is expensive and not widely available, passwords are still the most practical and cost-effective method of authentication – and this is unlikely to change in the short term.
HIPAA Experts Disagree on Best HIPAA Compliant Password Policy
The purpose of a password is to prevent unauthorized access to an account, but the level of protection provided by a password can vary greatly. For instance, a password such as “password” or “123456” will provide close to zero defense against a brute force attack, whereas a passphrase of 16 characters or more is very difficult to crack, even with the automated techniques used by hackers in brute force attacks. Many organizations set password requirements for at least 8 characters and a mixture of upper and lower case letters numbers and symbols, but even these passwords may not be sufficiently resilient against sophisticated attacks.
There is disagreement about the best HIPAA compliant password policy to implement, including the format of passwords and the frequency of password changes and the best way of securing them.
While some experts argue the best HIPAA compliant password policy means changing passwords every sixty or ninety days, other experts say that this is a waste of time. A skilled hacker should be able to defeat any user-generated 8-character password in less than ten minutes using a combination of technical, sociological, or subversive tactics (i.e., social engineering).
There is more common ground between security experts when it comes to securing passwords. Passwords must never be stored in plain text and must always be encrypted. It is a recognized best practice to also salt passwords – add random data – prior to encryption to better safeguard passwords in storage and make it harder for hackers to crack encrypted passwords.
HIPAA Password Requirements and Password Managers
One area of weakness with passwords is that by making passwords difficult to crack, they are also very difficult for humans to remember. That often means individuals use tricks to get around password requirements (that hackers are aware of) or write their passwords down. One way to resolve this problem is to use password management tools.
Password managers such as Bitwarden help users create strong, unique passwords for all accounts. Passwords that are extremely complex will protect against brute force attacks, yet individuals will not have to remember these passwords or write them down. The passwords are stored securely in the user’s password vault and are encrypted, and individuals then only need to create one, strong, master password for their password vault. That can be a long passphrase that is easy to remember but difficult to guess.
Two Factor Authentication Being Implemented by Many Medical Centers
Two-factor authentication is also now a widely accepted best practice for improving password security. Two-factor authentication – often also called multi-factor authentication – requires more than one method of authentication. Another factor must be provided in addition to a password before account access is granted. This is commonly an SMS message containing a PIN that is sent to a user’s mobile phone. Without that PIN, a password alone is not sufficient to grant access to an account.
Two factor authentication has already been adopted by many medical centers and physician practices for credit card payments to adhere to the Payment Card Industry Data Security Standard (PCI DSS), and in relation to prescriptions to comply with the DEA´s Electronic Prescription for Controlled Substances Rules. However, for other systems such as email, two-factor authentication has often not been implemented.
It is true that two factor authentication can impede workflows, but advances in software mean it is no longer a major issue – for instance, by using Single Sign-On between healthcare technologies, workflows are not disrupted. While two-factor authentication technology does not replace passwords, it is recommended to document all methods used to improve password security with your HIPAA documentation to demonstrate you are following industry best practices in the event of a breach investigation or compliance audit.
HIPAA Password Requirements – FAQs
What are the allowable alternatives to passwords under HIPAA?
In 2005, the Department for Health and Human Services released a Guide to the Technical Standards of the HIPAA Security Rule. The Guide states there are three basic methods for complying with the requirement Covered Entities “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
- Implement an authentication method that requires something only known to the individual (i.e., a password or PIN),
- Implement an authentication method that requires something the individual possesses (i.e., a smart card or key), or
- Implement an authentication method that requires something unique to the individual (i.e., a fingerprint or facial image).
However, if a Covered Entity can comply with the requirement in an equally effective way, that would be an appropriate alternative to passwords under HIPAA and the Covered Entity would not have to comply with the HIPAA password requirements.
Have the HIPAA password expiration requirements changed?
Subsequent to the enactment of the Security Rule, NIST revised its recommendations for enforced password expirations. The organization found that when users were forced to change passwords, they often changed just one character so the password was still easy to remember (for example, “password100” to “password 101”). This was considered to be unsafe because, if the original password had been compromised, there was a strong likelihood the new one would be as well.
The current guidance from NIST is that passwords should only be changed when there is evidence that the password has been compromised, or is weak, shared, or re-used. Although there have been no subsequent changes made to the HIPAA password expiration requirements, it is important to note the requirement to implement “procedures for creating, changing and safeguarding passwords” is addressable and Covered Entities have the option of not implementing the requirement if it is unreasonable or inappropriate. However, the decision not to implement enforced password changes must be documented.
How often should passwords be changed in the EHR system?
With regards to EHR systems, the HIPAA password requirements are the same as for accessing databases and other directories containing ePHI. Therefore – according to NIST´s recommendations, passwords should only be changed when there is evidence that the password has been compromised or shared among healthcare workers, students, and other employees.
Does HIPAA require two-factor authentication?
Two-factor authentication is a process in which an employee uses at least two of the three basic methods listed above to access ePHI – for example, a password and a key, or a PIN and a fingerprint etc.). Although an effective method for adding an extra layer of security to ePHI, HIPAA does not require two-factor authentication unless a Covered Entity identities a vulnerability in their information access management that is best resolved by implementing two-factor authentication.
Is there such a thing as a HIPAA-compliant password manager?
While password managers can support HIPAA compliance, it is not the technology that determines compliance, but how it is used. However, although HIPAA is deliberately technology neutral, it is a best practice to implement a password manager that has been audited for compliance with the HIPAA Security Rule and that uses end-to-end “zero knowledge” encryption.