HIPAA Password Requirements

As part of the Administrative Safeguards in the HIPAA Security Rules, any Covered Entities (CEs) must have clear policies on creating, storing and changing passwords. If this is not possible, alternative security measures that are equally secure are acceptable. This is stipulated in the Administrative Safeguard’s “Security Awareness and Training” guidelines.

Complying to HIPAA’s Password Policies

No-one contests the need for strong passwords in the healthcare sector, though how they are to comply with HIPAA policy is debated. Security experts agree that passwords should be long, with a mix upper- and lower-case characters, numbers and special characters. However, there is disagreement on how often the passwords should be changed and how they should be stored. Some suggest changing a password every sixty days, whilst others claim this is a waste. They argue that any hacker targeting Protected Health Information (PHI) would be able to decipher a password within ten minutes if they are to do it at all.

Additionally, frequent changes of password makes it more likely that an employee will write them down, dramatically decreasing their security.

The majority of security experts recommend that, to prevent a HIPAA violation, password management programs should be used. Even if these programs are hacked, they encrypt stored passwords in such a way that they would be unreadable by hackers in the case of a breach.

“Addressable Requirements” and Passwords

HIPAA legislation describes password safeguards as an “addressable” requirement. This means that a CE can “implement one or more alternative security measures to accomplish the same purpose.” So long as a security measure maintains the integrity of PHI and does not permit unauthorised personnel to access it, it is seen as HIPAA-compliant. This is, in part, to ensure that HIPAA regulation can remain current even as technology advances.

Two-Factor Authentication

Many healthcare providers and other such CEs already use two-factor authentication. Anyone trying to access a database that stores PHI is sent a text message or other notification containing a PIN code. Both the password and the PIN must be correct to permit access. With each login, there is a new PIN code issued. This way, even if a hacker manages to overcome the password requirement, they do not have the PIN and thus cannot access the data.

Despite its widespread use, two-factor authentication is not yet used to protect private patient data. Instead, medical centres use it to comply with Payment Card Industry Data Security Standard (PCI DSS) and the DEA’s Electronic Prescription for Controlled Substances Rules. The lack of two-factor authentication in accessing PHI is explained by the fact it delays workflow, though this may be better than having less secure data. Additionally, the technology is being constantly improved – LDAP integration and Single Sign-On in healthcare technologies make it more user-friendly.

Arguably, he use of two-factor authentication is more feasible than constantly changing passwords, as it reduces the likelihood of passwords being written down and lost. Thus, it is easier for companies to maintain the integrity of PHI in a HIPAA-compliant fashion. However, as this is considered an “alternative solution” to passwords, CEs will need to carefully document their use of two-factor authentication should a HIPAA Audit be conducted.