HIPAA Requirements For Passwords

Did you know, within the HIPAA security requirements there are guidelines for deploying and creating a passwords management policy, this would include: creating, changing and protecting passwords? These guidelines were established under the HIPAA Security Rule and within the HIPAA Security Rule it is required to provide Security Awareness and Training for creating policies and procedures on how to preform the storing, changing and creation of passwords.   


Complying With HIPAA Security Policies

Many security professionals tend to argue over the HIPAA best practices for passwords but they are all in agreement that there should be a minimum of 8 characters, include upper and lower case letters, numbers, and special characters, this practice has been challenged in recent years, as has the practice of enforcing changes to passwords regularly. However keep in mind that many healthcare organizations are choosing to make it a minimum of 12 characters. 

Keeping up with randomly generated 12 character passwords make it difficult for end users to remember and will increase the likelihood of users writing down their passwords. To combat this issue the National Institute of Standards and Technology (NIST) now recommends the use of passphrases. This will create longer and easier to remember passwords. 

Within the HIPAA security guidelines it is also required to change passwords every 60 to 90 days. There has been recent research that suggests, forcing users to change their passwords actually decreases security as it also encourages users to write down passwords.


Additional requirement of Multi-Factor Authentication

Given enough time even strong passwords can be guessed by brute force hacking attempts. It’s a common practice that end users also share passwords and reuse old passwords across many different platforms. If you are being targeted a hacker can keep track of security breaches and leaked passwords and if you so happen to use this same password application logins for the healthcare company you have potentially compromised their healthcare network. 

The use of Multi-factor authentication will immensely improve the security of passwords. Multi-factor authentication combines a password with another factor that is either known to an individual or possessed by them. This would consist of SMS, Tokens, Pins, Bio and Devices.  

Multi Factor Authentication

Multi factor also makes it easier on end users. they would only need to remember one password and what changes is the secondary authentication. This will also help reduce the risk of hackers being successful with their phishing attacks.  All it would take would be for a user to fall for a phishing attack and the hacker would obtain your password. If you had multi-factor authentication in place, if a hacker obtains a user’s password via a phishing it would be essentially useless because Multi-factor authentication would be required to login. Using this technology would tremendously reduce the healthcare dangers your facing. 

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.