HIPAA password requirements state that procedures must be implemented for creating, changing and securing passwords unless a different, equally-effective security measure is chosen.
The password requirements under HIPAA are available the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) states Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.
IT Specialist Disagree on Best HIPAA Compliance Password Policy
even though all security specialists agree the need for a strong password (the longest possible, incorporating numbers, special characters, and a mixture of upper and lower case letters), many do not find common ground in relation to the best HIPAA compliance password policy, the frequency at which passwords should be amended (if at all) and the best way of securing them.
While some experts believe the best HIPAA compliance password policy includes changing passwords every 60 or 90 days, other experts say the effort achieves nothing. A talented hacker should be able to crack any user-generated password within ten minutes using technical, sociological or other sneaky methods (i.e. social engineering).
There is more agreement among IT specialists in relation to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, most recommend the use of password management utilities. Although these tools can also be hacked by cyber criminals, the software records passwords in encrypted format, making them unusable by cyber criminals.
HIPAA Password Obligations are Addressable Requirements
You should remember that HIPAA password requirements are “addressable” requirements. This does not mean they can be disregarded, however it does mean covered entities can “implement one or more alternative security measures to accomplish the same purpose.”
In relation to the Administrative Safeguards, the aim of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if a different security measure can be put in place that achieves the same purpose as designing, changing and securing passwords, the Covered Entity is complying with HIPAA.
Two-factor authentication meets this requirement adequately. Whether through SMS notification or push notification, a person using a username and password to log into a database that stores PHI also has to use a PIN code to confirm their identity. As a unique PIN code is sent with every log-in attempt, a compromised password alone will not give a hacker access to the secured database.
Two Factor Authentication ithe Choice of Most Medical Organizations
Two factor authentication is already in use by the majority of medical organizations, but not to secure the confidentiality, integrity and security of PHI. Instead it is implemented by medical organization accepting credit card payments to adhere with the Payment Card Industry Data Security Standard (PCI DSS) and by others to adhere with the DEA´s Electronic Prescription for Controlled Substances Rules.
Healthcare IT workers will be quick to emphasise that two factor authentication can delay workflows, but recent advances in the software permit LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only sends PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than constant changes of passwords and password management tools. Effectively, Covered Entities never need amend a password again.
The only thing Covered Entities have to remember before putting in place two factor authentication to protect PHI is that, due to HIPAA Password requirements are addressable safeguards, the reasons for putting in place the alternative solution have to be officially recorded. This will meet the HIPAA requirements for completing a risk analysis and also satisfy auditors if the Covered Entity is chosen to be reviewed as part of HHS´ HIPAA Audit Program.