The Health Insurance Portability and Accountability Act (HIPAA) requires the use of passwords or an equivalent method of securing accounts that have access to electronic protected health information (ePHI). In this post we explore the HIPAA password requirements to help you develop and implement a HIPAA compliance password policy to reduce the risk of data breaches and regulatory fines for those who work with ePHI.
HIPAA requires an authentication method to be implemented to prevent unauthorized individuals from gaining access to ePHI and passwords are the easiest authentication method to use. The cost and complexities of using alternative methods to passwords means most healthcare organizations will continue to rely on passwords for authentication for the foreseeable future.
The HIPAA password requirements are detailed in the administrative safeguards of the HIPAA Security Rule - 45 CFR § 164.308 a(5)(d) – which refers to “Password management.” This is an addressable rather than a required safeguard that calls for “Procedures for creating, changing, and safeguarding passwords.”
It is important to explain the distinction between ‘addressable’ and ‘required’ in the HIPAA legislation. Required naturally means HIPAA-covered entities must comply with the standard. Addressable means the standard must be addressed and cannot be ignored. That means that passwords must be used to secure accounts unless an alternative measure is implemented that provides an equivalent level of protection. The use of biometric authentication such as fingerprints, for example, would also serve as a HIPAA-compliant alternative to passwords.
The decision whether to use passwords or an alternative method for securing accounts should be guided by a risk analysis. Whatever decision you take, you should document it along with the rationale behind the decision.
The HIPAA password requirements require covered entities and their business associates to develop and implement a password policy. To comply with the password requirements of the HIPAA Security Rule, a HIPAA compliance password policy must cover the creation of passwords, HIPAA password change requirements, and safeguarding passwords.
The HIPAA password requirements do not include specifics about password length and complexity. That is because best practices change over time and specific HIPAA technical requirements would likely require regular legislative updates. Instead, HIPAA specifies that best practices for use of passwords should be followed.
Recognized security practices should be followed, such as those provided by the National Institute of Standards and Technology (NIST) in its special publications. NIST password guidance is included in its Digital Identity Guidelines – Authentication and Lifecycle Management Special Publication (800-63B). A HIPAA password policy should be based on the latest recommendations from NIST.
NIST guidelines recommend using a minimum of 8 characters to make passwords less susceptible to brute force attacks, and to use a complex and random combination of characters and numbers, including special characters such as symbols. Dictionary words should be avoided, as should commonly used weak passwords – Qwerty123! - for example.
Creating passwords that are long, complex, and random makes passwords much harder to guess, but also much harder to remember. As a result, users tend to create passwords in a predictable way. That means that even if the use of complex passwords is enforced, the passwords may not be particularly strong.
Current best practice therefore avoids requiring the use of special characters, instead simply allowing them to be used. Longer passwords are better and users are encouraged to use passphrases rather than passwords. A passphrase consists of a longer string of preferably unrelated words, such as “raccoon-doorknob-spacecraft”.
NIST no longer recommends enforcing password changes, a practice also referred to as rotating passwords. “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future,” explains NIST. “When those changes do occur, they often select a secret that is similar to their old, memorized secret by applying a set of common transformations such as increasing a number in the password.”
Once a HIPAA password policy has been developed, it should be enforced and employees should be trained on password security and password cybersecurity best practices, such as always creating unique passwords, never reusing or recycling passwords, and techniques for creating strong passwords.
HIPAA does not detail specific password requirements for creating safe passwords, so these too should follow cybersecurity best practices. Passwords should never be stored in plaintext and should be encrypted and preferably also salted (the use of unique, random string of characters both in transit and at rest. This will make it much harder for the encryption to be cracked if password lists are obtained by unauthorized individuals.
It is now widely accepted that organizations should implement HIPAA multi-factor authentication (MFA) to mitigate risk in cases where passwords might be compromised. Here’s how that works: even if a password is compromised, for example in a phishing attack, if HIPAA two-factor authentication is enabled, the malicious party cannot gain access to your system using the password alone – they would need the additional authentication provided by the MFA device to do so. In that way, MFA can prevent compromised passwords by themselves from being used to gain access to accounts that store ePHI.
Since healthcare organizations will likely have to manage hundreds or thousands of passwords, it is worth considering a HIPAA-compliant password manager such as Bitwarden. Bitwarden is an open source, enterprise scale password manager that can be downloaded onto any device – and accessed from anywhere.
Bitwarden makes it easy to generate and store unique passwords, create user groups, and monitor activity via event and audit logs. For larger healthcare organizations, Bitwarden supports API access, Directory Sync, and custom management roles, plus the option to apply management policies.
Some password managers argue that HIPAA compliance is not required of a password manager because data that is stored is encrypted. However, the HIPAA encryption requirements state that systems used to store ePHI, even if that data is encrypted, must be HIPAA compliant. That’s why Bitwarden has invested in HIPAA compliance, certified by a third-party auditor, and complies with the requirements to be a trusted Business Associate of any healthcare organization that must operate under HIPAA regulations.
Try Bitwarden for free for your team or organization today.
Editor's Note: This blog was originally published on Monday, March 29th 2021 and was updated on Friday, May 20th 2022.