Blog

Setting a HIPAA Proof Password

HIPAA
August 27, 2020
An easy step that organizations can take to protect PHI (and just about any digital tool they use) is strong passwords. But what does HIPAA say about passwords?

Setting a Fool-proof HIPAA Password

HIPAA Password Requirements

Under the Security Rule there are physical, technical and administrative standards that must be complied with. Under the administrative safeguard requirements, covered entities are directed to enforce “procedures for creating, changing, and safeguarding passwords.” Other than the expectation that standards are set, the Security Rule doesn’t offer any details on what requirements passwords must meet. This vague direction has been the cause of some questions for those looking to comply with HIPAA, but this ambiguity is on purpose and can actually be a good thing. 

In order to achieve HIPAA compliance, there are many procedures and policies that must be implemented and monitored regularly within an organization. These areas that must be maintained are outlined in the various rules within HIPAA. One aspect of HIPAA compliance that has been the center of many questions is what the requirements of an effective password are.

Password Details within HIPAA 

One thing to remember about certain aspects of HIPAA is that they were intentionally designed to be slightly vague so that organizations can create procedures that uniquely fit their situation and the resources available to them. HIPAA compliant organizations can range from small 1-2 person tech companies to entire hospital corporations which makes “one size fits all solutions” to policies like password security a bit tricky. 

The idea is that all these organizations will exert a “good faith effort” to follow the regulations and maximize security. Passwords are the first obstacle that a hacker will encounter with attempting to steal information so weak passwords can lead to easier unauthorized access and eventually to costly breaches in Protected Health Information, or PHI.  

Nationwide Password Standards

Since HIPAA doesn’t outline specific password requirements, we can instead look to other regulatory organizations that offer this type of guidance. The National Institute of Standards and Technology (NIST) releases password standards that are widely followed. Each year their security standards, which are used by all the federal agencies, are updated and include both requirements and additional recommendations. 

NIST Password Requirements and Recommendations 

  • Password Length: The NIST requirements are that a strong password meets a minimum of 8 characters but it is also recommended that the maximum number of characters be set at 64. 
  • Password Hints: When it comes to setting hints or security questions that are based on personal knowledge, these are required to be avoided at all costs by NIST. 
  • Changing Passwords: Although it is sometimes recommended that passwords be regularly updated, NIST only requires that passwords be changed when there is evidence of compromise. If you have ever had a password be compromised, make sure to screen all new passwords by this list of past compromised passwords. 
  • Passwords You Can Remember: Contrary to previous recommendations, NIST does not recommend making passwords overly complicated but rather they should just be sufficiently unique while still memorable to the user. 
  • Failed Authentication: If you are setting password policies within your organization, be sure to limit the amount of failed authentication attempts that are allowed. 

Two-factor authentication

As mentioned, the requirements of HIPAA are purposely vague in some areas so that companies can utilize alternative safeguards as long as they fit within the overall goal. In this case that means that an alternate form of creating, changing and safeguarding passwords can be used assuming that it serves the same purpose. 

That is where two-factor authentication comes into play as it utilizes a form of push notification following the entry of a person’s password that they must then enter in a pin code before gaining access to the information. Although this is a bit different than simply mandating the length or amount of special characters needed in a chosen password, it is an alternate form of password security that can be useful for HIPAA compliant organizations. 

Secure Password requirements are important to address as they are the first line of defense against hackers and their cybersecurity attacks. Once you have set HIPAA and NIST proof password standards, make sure that you have a plan to meet all the other aspects of HIPAA compliance.


More from the Blog

GenixTec has achieved HIPAA Compliance with Accountable
Compliant Tools

GenixTec has achieved HIPAA Compliance with Accountable

HIPAA and Workforce Training
HIPAA

HIPAA and Workforce Training

Understanding HIPAA Certification
HIPAA

Understanding HIPAA Certification

Is Google Docs HIPAA Compliant?
Compliant Tools

Is Google Docs HIPAA Compliant?

Is Calendly HIPAA Compliant?
Compliant Tools

Is Calendly HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is iCloud HIPAA Compliant?
Compliant Tools

Is iCloud HIPAA Compliant?

President Biden Looks to Boost Cybersecurity at U.S. Ports
Data Security

President Biden Looks to Boost Cybersecurity at U.S. Ports

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of ComplianceGet Support
Solutions
HIPAAGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
SitemapTerms of ServicePrivacy Policy