HIPAA password requirements state that processes must be implemented for setting up, amending, and securing passwords unless an alternative, equally-effective security measure is adapted. We feel that the best manner to comply with the HIPAA password requirements is with two factor authentication.
HIPAA password requirements are listed in the Administrative Safeguards of the HIPAA Security Rule. In the section that refers to Security Awareness and Training, §164.308(a)(5) states Covered Entities must put in place “procedures for creating, changing and safeguarding passwords”.
HIPAA Experts Disagree on Strongest HIPAA Compliance Password Policy
Despite the fact that all security experts agree the need for a strong password (the longest possible, incorporating numbers, special characters, and a mixture of upper and lower case letters), many do not agree on the best HIPAA compliance password policy, the number of times at which passwords should be amended (if at all), and the best way of securing them.
While some experts argue the best HIPAA compliance password policy means changing passwords every sixty or ninety days, other experts say that this is a waste of time. A specialist hacker should be able to defeat any user-generated password in less that ten minutes using a combination of technical, sociological, or subversive tactics (i.e. social engineering).
There is more common ground between specialists when it comes to securing passwords. In respect of a best procedure for a HIPAA compliance password policy, most recommend the use of password management tools. Although these tools can also be bypassed, the software saves passwords in encrypted format, making them unusable by hackers.
HIPAA Password Requirements are Known as Addressable Requirements
When discussing the HIPAA password requirements it is important to recognize these are “addressable” requirements. This does not mean they can be put off until another day. It means Covered Entities are in a position to “implement one or more alternative security measures to accomplish the same purpose.”
In the context of the Administrative Safeguards, the aim of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Due to this aim, if a different security measure can be adapted that accomplishes the same purpose as setting up, amending, and safeguarding passwords, the Covered Entity is compliant with HIPAA.
Two-factor authentication meets this requirement. Whether by SMS alert or push notification, a person using a username and password to log into a database that stores PHI also has to insert a PIN code to confirm their identity. As a unique PIN code is issued with each log in attempt, a compromised password on its own will not allow a hacker access to a secure database.
Two Factor Authentication Being Implemented by Many Medical Centers
Tellingly, two factor authentication is already being adapted by many medical centers, but not to secure the confidentiality, integrity and security of PHI. Instead it is used by medical centers accepting credit card payments to adhere to the Payment Card Industry Data Security Standard (PCI DSS), and by others to adhere to the DEA´s Electronic Prescription for Controlled Substances Rules.
Healthcare IT workers will be quick to stress that two factor authentication can delay workflows, but recent advances in the software permit LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software systems only transmit PIN codes (and not PHI) the software does not have to be HIPAA compliant, and it is a far simpler solution for compliance with the HIPAA Password requirements than frequent changes of passwords and password management utilities. Effectively, Covered Entities never need amend a password again.
The only thing Covered Entities have to keep in mind before adapting two factor authentication to safeguard PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for adapting the alternative solution have to be recorded. This will meet the HIPAA requirements for completing a risk analysis and also satisfy auditors if the Covered Entity is chosen to be reviewed as part of HHS´ HIPAA Audit Program.
HIPAA Password Requirements Should be Researched
It was referred to above that most user-generated passwords can be hacked within ten minutes. Social engineering and phishing will likely accelerate the speed of the hackers work.
Randomized passwords including numbers, symbols and a mix of upper and lower case letters obviously take more time to crack – but they are still crackable. They are also much more difficult for users to remember; and although secure password management tools are available to store passwords securely, if a user wants to access a password-protected account from another device, password management tools are of no help. The only way for the user to log onto the account is to have the password written down or stored on another device – such as an unsecured smartphone.
Logging onto password-protected accounts from secondary devices enhances the danger of a data breach due to keylogging malware. This sort of malware runs undetected on computers and mobile devices, secretly documenting every keystroke in a file for later retrieval by a hacker. As this is a predictable risk to the security of Protected Health Information, Covered Entities must either develop policies to restrict users to the devices from which they can access password-protected accounts, or find a different solution to the HIPAA password requirements.