The HIPAA password requirements list the procedures must be established in order to successfully and safely create, amend and protect passwords unless a different, equally-effective security measure is put in place. We suggest the best way to adhere with the HIPAA password requirements is by using two factor authentication.
The HIPAA password requirements can be located in the Administrative Safeguards of the HIPAA Security Rule. Under the section linked to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must use “procedures for creating, changing and safeguarding passwords”.
Disagreement on Best HIPAA Compliance Password Policy
Although all security specialists are in agreement on the need for a strong password (the longest possible, including numbers, special characters, and a mix of upper and lower case letters), many cannot find common ground in relation to the best HIPAA compliance password policy, the frequency at which passwords should be amended (if at all) and the best way of securing them.
Whereas some specialists claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other specialists say the effort is a waste of time. A skilled hacker should be able to crack any user-generated password in less than ten minutes using a combination of technical, sociological, or subversive methods (i.e. social engineering).
There is more agreement between experts when it comes to protecting passwords. In respect of a best practice for a HIPAA compliance password policy, most recommend the use of password management tools. Although these tools can also be infiltrated, the software saves passwords in encrypted format, making them unusable by hackers.
The HIPAA Password Requirements are Addressable
One important point to remember when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be delayed to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”
In relation to the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if a different security measure can be implemented that accomplishes the same purpose as creating, changing and protecting passwords, the Covered Entity is in compliance with HIPAA.
Two-factor authentication meets this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database holding PHI also has to insert a PIN code to confirm who they are. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.
Two Factor Authentication Implemented by Many Medical Facilities
Interestingly, two factor authentication is already deployed in many medical facilities, but not to safeguard the confidentiality, integrity and security of PHI. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to adhere with the DEA´s Electronic Prescription for Controlled Substances Rules.
Healthcare IT specialists will be quick to stress that two factor authentication can slow workflows, but recent advances in the software make way for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only sends PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords and password management tools. Effectively, Covered Entities never need amend a password again.
The only thing Covered Entities have to be conscious of before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be officially recorded. This will meet the HIPAA requirements for conducting a risk analysis and also satisfy auditors if the Covered Entity is chosen to be reviewed as part of HHS´ HIPAA Audit Program.
Why a Different Option to the HIPAA Password Requirements should be Considered
It was referred to above that most user-generated passwords can be cracked within ten minutes. That may seem an outrageous claim to some IT specialists, but this tool on the ramdom-ize password generating website will give you an idea of how long it could take a determined hacker to find any password by brute force alone. Social engineering and phishing will likely cut this time even more.
Randomized passwords containing numbers, symbols and a mixture of upper and lower case letters obviously take more time to crack – but they are still crackable. They are also much more difficult for users to remember; and although secure password management tools exist to store passwords safely, if a user wants to access a password-protected account from another device, password management tools are ineffective. The only way for the user to log into the account is to have the password written down or saved on another device – such as an unsecured mobile phone.
Accessing password-protected accounts from secondary devices increases the danger that a data breach will occur due to keylogging malware. This type of malware runs unnoticed on computers and mobile devices, secretly recording every keystroke in a file for later retrieval by a hacker. As this is a foreseeable risk to the security of Protected Health Information, Covered Entities must either create policies to limit users to the devices from which they can access password-protected accounts, or find an alternative to the HIPAA password obligations.