logo

HIPAA Password Requirements

The healthcare industry faces a plethora of serious cybersecurity risks. Indeed, 2021 saw a record number of major health data breaches in the U.S. —  the breach notification portal of the U.S. Department of Health and Human Services lists at least 713 incidents affecting 45.7 million individuals.

The Healthcare Insurance Portability and Accountability Act (HIPAA) is designed to help healthcare organizations reduce risks to the security and privacy of electronic personal health information (ePHI). In particular, the HIPAA Security Rule includes password requirements to help organizations minimize the risk of data breaches. This article explains those password requirements and provides best practices for implementing them.

Who needs to comply with HIPAA?

HIPAA applies to both of the following types of organizations:

  • Covered entities — This group includes healthcare providers, health plans, healthcare clearinghouses and employers who have access to health information for insurance purposes
  • Business associates — This group includes organizations that handle or store physical patient records or ePHI, for example, medical insurance and billing companies, law offices that handle medical cases, medical device manufacturers, and medical couriers. It also includes providers of software and cloud services that deal with ePHI.

Identifying whether your organization is subject to HIPAA is very important because penalties for failing to comply with the regulation can range from $100 to $50,000 per violation or record, up to a maximum penalty of $1.5 million per year for each violation. In addition, intentional breaches of HIPAA regulatory requirements can lead up to 10 years of jail time.

Why does HIPAA include password requirements?

HIPAA includes requirements concerning passwords for good reason: Passwords are the keys to your ePHI, and a HIPAA compliant password policy can help you prevent unauthorized logins and data access. In fact, attackers have developed a wide variety of techniques to steal or crack passwords, including:

  • Brute-force attacks— Hackers run programs that try various potential user ID/password combinations until they hit the correct one.
  • Dictionary attacks— This is a form of brute-force attack that uses words found in a dictionary as possible passwords.
  • Password spraying attacks — This is another type of brute-force attack that targets a single account, testing multiple passwords to try to gain access.
  • Credential stuffing attacks — These attacks target people who use same passwords across different systems and websites.
  • Spidering — Hackers gather information about an individual and then try out passwords created using that data.

What are the HIPAA password requirements?

Passwords are covered in the HIPAA Security Rule’s administrative safeguards. Specifically, §164.308(5D) states that organizations must implement “procedures for creating, changing, and safeguarding passwords.” A related technical safeguard (§164.312(d)) stipulates that covered entities must have processes in place to verify the identity of a person seeking access to electronic health information.

This vagueness about password requirements is intentional — HIPAA is designed to be technology neutral and to recognize that security best practices evolve over time to improve resilience against known attack techniques.

So, how can my organization be compliant?

The best way to help ensure HIPAA password compliance is to build your password policy and procedures using an appropriate and respected framework. A great option is Special Publication 800-63B from the National Institute of Standards and Technology (NIST). The guidelines it provides are helpful for any business looking to improve cybersecurity — including HIPAA-covered entities and business associates.

The basic NIST guidelines for passwords cover the following:

  • Length — Passwords should be between 8 and 64 characters.
  • Construction — Long passphrases are encouraged, but they shouldn’t match dictionary words.
  • Character types — Organizations can permit uppercase and lowercase letters, numbers, unique symbols, and even emoticons, but should NOT require a mixture of different character types.
  • Multifactor authentication — Access to personal information like ePHI should require multi-factor authentication, such as a password plus a fingerprint or PIN from an external device.
  • Reset — A password should be required to be reset only if it has been compromised or forgotten.

What best practices help keep passwords secure?

Here are five strategies that can make a measurable difference in the security of your passwords:

  • Increase the length of your passwords. Short passwords are exceedingly easy to crack, but extremely long passwords are difficult to remember. The sweet spot, according to NIST, is between 8 and 64 characters.
  • Allow users to copy and paste their passwords from encrypted password management services. That way, they can choose stronger long passwords without the hassle of typing them in or the worry of forgetting them. This best practice also helps prevent security gaps caused by employees reusing passwords or writing them down where others might see them.
  • Don’t allow password hints. Hints often make it remarkably easy to figure out the user’s password — in some cases, employees will actually use the password itself as the hint!
  • Allow passwords to contain spaces, other special characters and even emojis. This adds another layer of complexity that helps defeat common password attacks.
  • Screen proposed passwords using lists of common and previously compromised passwords. You can outsource this task to security

How can Netwrix help?

Netwrix offers several solutions specifically designed to streamline and strengthen password management:

  • Netwrix Password Policy Enforcer makes it easy to create strong yet flexible password policies that enhance security without hurting user productivity or burdening helpdesk and IT teams.
  • Netwrix Password Reset enables users to safely unlock their own accounts and reset or change their own passwords, right from their web browser. This self-service functionality dramatically reduces user frustration and productivity losses while slashing helpdesk call volume.

Netwrix also provides more comprehensive solutions for HIPAA compliance. They empower you to:

  • Perform regular IT risk assessments to reduce your attack surface area.
  • Understand exactly where your sensitive data is located so you can prioritize your protection efforts.
  • Audit activity across your on-premises and cloud-based systems, and spot and investigate threats in time to prevent data breaches.
  • Slash the time and effort required to prepare for HIPAA compliance checks and easily answer questions from auditors on the spot.

FAQ

What are the HIPAA minimum password requirements?

The HIPAA password requirements state that covered organizations must implement “procedures for creating, changing and safeguarding passwords.” There are no specific requirements concerning password length, complexity or encryption. To ensure compliance, consider creating a strong password policy using an established security framework like NIST.

What are the best recommendations for HIPAA passwords?

Current password best practices are detailed in NIST Special Publication 800-63B. This free publication includes guidance on password length, composition, character types, reset requirements and multifactor authentication.

How often does HIPAA require passwords to be changed?

There are no specific HIPAA password change requirements. NIST guidelines recommend requiring passwords to be changed only if they are compromised. Today, experts recognize that requiring frequent password changes often actually increases security issues because users resort to strategies like writing their passwords down or simply incrementing a number at the end of the password, leaving their account vulnerable to cyberattacks.

Does HIPAA require multifactor authentication (MFA)?

HIPAA does not provide that level of detail. However, best practices frameworks like NIST recommend multifactor authentication to protect sensitive and regulated data in email, databases and other systems. Implementing MFA as outlined by NIST can dramatically reduce an organization’s risk of fines for failure to comply with HIPAA.

Are there any account lockout requirements in HIPAA?

HIPAA does not provide that level of detail. However, a HIPAA-compliant password policy would involve lockout after a certain number of failed logon attempts to thwart password-guessing attacks. Enabling users to unlock their own accounts using a secure self-service password management solution can enable you to set a low threshold for failed logon attempts to strengthen security without driving up helpdesk call volume.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.