Password Management: 5 Best Practices for HIPAA Compliant Environments
by Stephen Trout
Good security habits can sometimes feel like extra work — like when you have to jump out of bed to ensure your doors are locked, two seconds after you’ve clicked off the light.
Why do you do it? Because you know the extra effort isn’t too high a price for keeping an intruder out, your family safe, and helping everyone to sleep more soundly.
Similarly, HIPAA regulations aren’t there to be a nuisance or steal your time; implementing strong physical and technical protections (as mandated by the HIPAA Security Rule) for medical data is about preserving the welfare of real patients — not to mention your entire environment and organization.
One critical protection is to practice good password management. Passwords are like the keys to your house — they allow access for a select, approved group, and are designed to keep out those who have no right to come in and steal your stuff.
Password management will benefit both physicians who run their own practices and their business associates. It extends to the developer who may be designing a slick new healthcare app for the covered entity (ie, an organization subject to HIPAA because they handle, store, or transmit PHI) as well. All are mandated by HIPAA to protect and preserve the privacy and integrity of PHI.
Why Password Management?
“Treat your password like your toothbrush; don’t let anyone else use it and get a new one every six months.” — Clifford Stoll
Like our locked door example, it matters ultimately to those you’re protecting, who have access to the keys. If you suspect that someone has illegitimately made a copy, what do you do? Of course, you change the locks.
Unfortunately, many companies continue to maintain poor password management practices that actually make the keys easier to steal. This is why weak or stolen passwords continue to be a primary cause of data breaches. These practices include:
- Choosing passwords that are weak and easily guessable with a little investigation
- Allowing passwords to be easily lost/stolen, from scribbled on post-its which are easily found and copied, or falling prey to brute force and phishing attacks
- Failing to address workforce personnel who may rotate or depart and take their passwords with them.
These and other reasons are why HIPAA regulations require covered entities to have sound procedures for password creation, changes, and safeguards. (Note: HIPAA requirements don’t specify precise password length, expiration, complexity, and strength, however. We’ll briefly touch on these things below).
Even if an attacker isn’t able to guess a user’s password, by repeatedly querying the information with an automated system that is able to quickly generate character combinations (known as “brute forcing”), it’s often possible to discover the password — sometimes even a strong, well-constructed one. Longer, stronger passwords can make a difference.
By limiting the number of login attempts within a set period of time, locking users out, and requiring administrative interaction, covered entities can also ensure a greater level of security for the protection of medical data. This is also why HIPAA requires security training, to inform users of these types of threats and to convey the importance of both a) using a strong password and b) rotating passwords on a frequent basis.
Best Practices
How password-management is applied comes down to incorporating best practices for your environment. Data “sensitivity” is the prime factor that determines how often this process should occur; the more sensitive the data, the more stringent the practices should be.
That means that for hosting environments, the size of the business is really less important than the types of clients being managed. For HIPAA compliance, “sensitive” information like electronic medical records (EMR), protected health information (PHI), and personally identifiable information (PII), should require a higher level of password protection as compared to “non-sensitive” information.
With that in mind, here are 5 best practices for HIPAA compliance that will greatly improve your password security, and thus the security of your environment:
- Use a Password Manager
Many password manager apps are free, allowing you to store dozens of passwords so you don’t have to remember them, and many will automatically sign you in when you log on. The better ones utilize strong encryption (a must-have), sync with your devices so you have access from anywhere, and provide two-factor authentication for an added layer of security.
Enterprise-level password managers are available at a reasonable price and can be especially helpful for storing your privileged credentials/access to company secrets, as well as limiting that access to only those who need it. Keeper and Lastpass are excellent choices and integrate with the most popular platforms.
2. Use a Unique Password for Each Account
Having a unique key for different entryways into your environment is a smart idea; that way even if one of your passwords is divulged, you prevent the possibility of someone having access to all your accounts.
3. Use a Long and Strong Password
Why make it easy for hackers to guess your password? Maintaining strong passwords means in part using longer ones — at least eight characters made up of both upper and lowercase letters, numbers, and symbols. In fact, the US National Institute of Standards and Technology (NIST) Special Publication 800–63, Digital Identity Guidelines now says that the best practice is to use up to 64 characters, including spaces.
4. Set Appropriate User-Access Controls
It’s HIPAA policy (164.312 (a)) for covered entities to have technical policies and procedures that limit access to systems with PHI. These Access Control specifications include issuing unique user identifications and passwords to only those who truly need them, as well as monitoring login attempts.
5. Use Two-Factor Authentication
At HIPAA Vault we regularly set up our users with two-factor authentication as an excellent way to protect against a single point of failure with their passwords. The use of a one-time code sent only to them helps provide the extra layer of security needed should their password happen to fall into the wrong hands.
So what about password changes? Should they happen every six months (as the quote above suggests), or every 90, 120, or even 180 days?
While experts are divided (with new NIST guidance advocating sticking with a strong password for a longer time, based on the tendency of users to apply “a set of common transformations such as increasing a number in the password” when making changes, etc.), we believe that organizations with privileged passwords should change them more frequently while also adding complexity, according to data sensitivity. Quite simply, more time with unchanged passwords gives hackers more time to crack them. If you’re using the above best practices, including a password manager, this shouldn’t be a problem.
In fact, HIPAA guidelines do state that frequent password changes are required, and also mandates the appropriate storage and management of such passwords (without specifying specific tools, since technology changes). Ultimately it’s the Compliance Officer’s responsibility to regulate users’ bad habits and to enforce the use of simple password management.
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.
