HIPAA Password Requirements
Under the Security Rule there are physical, technical and administrative standards that must be complied with. Under the administrative safeguard requirements, covered entities are directed to enforce “procedures for creating, changing, and safeguarding passwords.” Other than the expectation that standards are set, the Security Rule doesn’t offer any details on what requirements passwords must meet. This vague direction has been the cause of some questions for those looking to comply with HIPAA, but this ambiguity is on purpose and can actually be a good thing.
In order to achieve HIPAA compliance, there are many procedures and policies that must be implemented and monitored regularly within an organization. These areas that must be maintained are outlined in the various rules within HIPAA. One aspect of HIPAA compliance that has been the center of many questions is what the requirements of an effective password are.
Password Details within HIPAA
One thing to remember about certain aspects of HIPAA is that they were intentionally designed to be slightly vague so that organizations can create procedures that uniquely fit their situation and the resources available to them. HIPAA compliant organizations can range from small 1-2 person tech companies to entire hospital corporations which makes “one size fits all solutions” to policies like password security a bit tricky.
The idea is that all these organizations will exert a “good faith effort” to follow the regulations and maximize security. Passwords are the first obstacle that a hacker will encounter with attempting to steal information so weak passwords can lead to easier unauthorized access and eventually to costly breaches in Protected Health Information, or PHI.
Nationwide Password Standards
Since HIPAA doesn’t outline specific password requirements, we can instead look to other regulatory organizations that offer this type of guidance. The National Institute of Standards and Technology (NIST) releases password standards that are widely followed. Each year their security standards, which are used by all the federal agencies, are updated and include both requirements and additional recommendations.
NIST Password Requirements and Recommendations
- Password Length: The NIST requirements are that a strong password meets a minimum of 8 characters but it is also recommended that the maximum number of characters be set at 64.
- Password Hints: When it comes to setting hints or security questions that are based on personal knowledge, these are required to be avoided at all costs by NIST.
- Changing Passwords: Although it is sometimes recommended that passwords be regularly updated, NIST only requires that passwords be changed when there is evidence of compromise. If you have ever had a password be compromised, make sure to screen all new passwords by this list of past compromised passwords.
- Passwords You Can Remember: Contrary to previous recommendations, NIST does not recommend making passwords overly complicated but rather they should just be sufficiently unique while still memorable to the user.
- Failed Authentication: If you are setting password policies within your organization, be sure to limit the amount of failed authentication attempts that are allowed.
As mentioned, the requirements of HIPAA are purposely vague in some areas so that companies can utilize alternative safeguards as long as they fit within the overall goal. In this case that means that an alternate form of creating, changing and safeguarding passwords can be used assuming that it serves the same purpose.
That is where two-factor authentication comes into play as it utilizes a form of push notification following the entry of a person’s password that they must then enter in a pin code before gaining access to the information. Although this is a bit different than simply mandating the length or amount of special characters needed in a chosen password, it is an alternate form of password security that can be useful for HIPAA compliant organizations.
Secure Password requirements are important to address as they are the first line of defense against hackers and their cybersecurity attacks. Once you have set HIPAA and NIST proof password standards, make sure that you have a plan to meet all the other aspects of HIPAA compliance.