What are the HIPAA Password Rules?

As the Health Insurance Portability and Accountability Act, better known as HIPAA, has certain security requirements that must be in place to safeguard Protected Health Information (PHI), many organizations are curious about what the HIPAA password requirements are.

The use of passwords is a common, simple, intuitive, and easily implemented security feature. While it is possible and permitted to use other protective measures, so long as they offer a similar level of protection, it is safe to assume that the vast majority of organizations make use of passwords to regulate access to information at some stage of their IT infrastructure.

Of particular importance when using passwords are the systems and procedures that are used to create, change, and store passwords. This is specifically mentioned in the Administrative Safeguards section of HIPAA, in the part dealing with Security Awareness and Training – §164.308(a)(5).

Debate Surrounding Optimal Password Policies

The conventional wisdom regarding how to create strong passwords includes making passwords as long as possible and incorporating different elements such as numbers, symbols, and both upper and lower case characters. However, there is debate surrounding the best balance between long and complicated passwords and passwords that are easy for users to remember.

As well as this, opinions vary as to whether passwords should be periodically changed and, if so, how frequently this should be done. There are those that reason that periodic changing is more in line with compliance needs, where others point out that potential threats or hackers acquire passwords through technological or social means that are not addressed by introducing new passwords every few weeks or months.

In contrast to this, there is a near consensus on how passwords themselves should be protected. Password management tools are often touted as an acceptable and compliant method of doing so. Even though they can be vulnerable to attacks or hackers, any information entered into the software is encrypted, rendering it indecipherable to unauthorized parties.

Password Requirements – An Addressable Issue

We mentioned above that it possible and permitted to use other protective measures that offer a similar level of protection to passwords. This is what we mean when we say an “addressable” requirement – it is one where there are many different possible options and the organization has the choice of which one they use, so long as the resulting outcome reaches a certain standard.

HIPAA’s Administrative Safeguards state that the desired goal is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. In terms of passwords or other security measures, so long as they meet this bar, they are HIPAA compliant.

A Proven Addition or Alternative

A technology that has already been proven to live up to tough security standards is two-factor authentication. It can be used in conjunction with a password or using two other factors. It is already seeing use in relation to payment systems in healthcare settings.

Two factor authentication uses two separate elements to authenticate a user. These are generally thing which are specific to the user e.g. knowledge (something they and only they know, like a PIN or password), a possession (something they and only they have, like a mobile phone), and inherence (something they and only they are or have, like a finger or voice print).

As passwords are an addressable safeguard, and given that two factor authentication offers an increased level of security without much extra time, cost, or effort, it may be worth considering introducing this into the systems protecting PHI in organizations. Even if it is not chosen as a security method, documenting the process of establishing its utility and feasibility can be used to justify security procedures should an audit take place.