Anyone who has had their accounts compromised understands the importance of secure passwords. But what exactly is considered “secure” in the eyes of HIPAA?
HIPAA Password Requirements and Best Practices
As per usual, the HIPAA law does not provide detailed implementation standards but states that “procedures for creating, changing, and safeguarding passwords” are an addressable safeguard. More on what an “addressable safeguard” means in a different article, but for our purposes let’s agree that password controls are required unless all of your PHI (protected health information) are paper records and you do not use technology in your practice. However, other than this brief line, there is no additional recommendation of best practices for the implementation of compliant passwords. This is why we look to the NIST 800-63 for password guidelines.
Because HIPAA doesn’t give us much to work with in terms of password requirements we look to National Institute of Standards and Technology for guidance. NIST’s 800-63 control requirements specify that passwords should conform to the following guidelines:
- Passwords are required for accounts that need to be protected
- 8 character minimum for a human-created password
- 6 character minimum for a system/service-created password
- Support for 64 characters maximum length
- No complexity requirements
- No password expiration period
- No password hints
- All ASCII characters (all letters and special characters, including space) should be supported
- Truncation of the password shall not be performed when processed
- If a password needs to be modified, it is done so in a controlled manner. If done too frequently, the result can be forgotten passwords or unsafe password management tactics to keep up with changes.
- Chosen password should be cross-checked with known password dictionaries
- 10 password attempts should be allowed before lockout
- No knowledge-based authentication (e.g. what is your mother’s maiden name?)
- No SMS (text messages) for Two-Factor Authentication (2FA). Instead, use a one-time password from an app like Google Authenticator
- Passwords are protected on user-end (Example: Not writing a password down on a post-it note)
- Passwords are protected on the back-end (Example: Passwords are not listed in an excel sheet, but rather a hashed, encrypted database)
- Passwords management: This kind of control needs to be specific to your organization, with consideration for things like where protected information is located, including PHI as well as information/data systems that give you access to PHI, including administrator passwords (some of the most sensitive passwords)
Something to reiterate is that password complexity is NOT the standard in NIST, which may be at odds with previously accepted traditional password safety. What is important is that passwords are not easy to brute force guess. Long pass-phrases are better, because although they are easy to remember and may seem easy to guess, they are complex and individual.
Additionally, NIST advises against frequent password changes. Doing so leads to employees forgetting their passwords, storing them in an insecure fashion (post-it notes), or opting to create predictable passwords (hello123!). Therefore, passwords should not be reset unless there is a reason to do so.
- With regard to passwords, HIPAA only mandates that there are “procedures for creating, changing, and safeguarding passwords” in place at an organization
- For password best practices, we look to the NIST 800-63 guidelines.
- Password complexity is not the current standard. Rather, long, memorable pass-phrases are more secure.
- Frequent password changes are not recommended because this leads to employees forgetting passwords, predictable passwords, or storing them in an insecure fashion.
Are you unsure about the password procedures and guidelines for your business?
Gazelle Consulting is here to help! Contact us today at firstname.lastname@example.org or 503-389-5666 today!