Bitwarden is officially a HIPAA-compliant password manager after receiving a HIPAA Security Rule Assessment Report from AuditOne in December 2020. This acknowledgement adds to our other notable regulatory compliance including GDPR, CCPA, SOC 2, SOC 3, and Privacy Shield.
Password managers store critical information for individuals and organizations around the world, and these systems go far beyond just storing passwords. Bitwarden, for example, offers unique templates to store credit cards, identity information, and notes. Users have complete freedom to decide what information they store in their Vault, with the confidence of knowing that all information is protected by end-to-end encryption.
Given the variety of data that can be stored, it’s important that password manager software vendors take all precautions to protect that data, including meeting critical compliance regulations that apply to different industries.
Because no one at Bitwarden can see what data is stored in a personal Vault, we have to assume that our customers could choose to store protected health information (PHI) or other HIPAA-related data there. And so it’s our responsibility to be compliant with regulations for the handling of PHI, namely HIPAA.
Some other password managers take the position that they do not store PHI and therefore do not need to provide HIPAA compliant password management. However, the Department of Health and Human Services has made it clear that regardless of whether the data stored is encrypted, and whether or not the provider has the encryption key, providers are still responsible to comply with HIPAA regulations.
At Bitwarden, we want to make things simple for our customers, so we did the work, and are now a HIPAA-ready password manager.
Whether you’re in the healthcare industry or not, providing employees with a password manager helps mitigate risk. Without a credential management system, employees are more likely to practice unsafe password security with do-it-yourself approaches that are nearly always less secure.
According to a Google survey in 2019, password reuse is still a common practice for more than half of the participants. The same survey found that only 24 percent were using a password manager.
Another research project found that while many passwords “tick all the security checks… are still easy to guess because most of us follow the same patterns.”
The best way to mitigate these risks is by using a password manager.
Organizations are becoming increasingly aware of the need for education and training around how to use a password manager for personal and professional credentials.
In our experience, reliable training practices that reduce risk involve awareness, consistency, and the right tools.
Awareness: Employees cannot improve their routines without knowing there’s a problem first. Security teams should shed light on common password mis-management practices, so employees can start to recognize their weak spots.
Consistency: Secure password practices are not always top of mind for your employees. Stay ahead by consistently bringing up your security policies and best practices to encourage familiar and use. Hold security training about tools and best practices multiple times per year, and make them mandatory as part of on-boarding new employees.
Tools: Choose a password management tool that is easy to use, end-to-end encrypted, and can scale to meet the needs of your team. A password manager is the easiest and safest way for individuals to store, share, and secure sensitive data.
If you’d like more information about HIPAA compliance, or need to explore Bitwarden signing a Business Associate Agreement, contact us.
Editor's Note: This article was originally written on December 7th, 2020 and was updated on July 16th, 2022.