HIPAA regulations set out guidelines to ensure the protection of confidential health-related information within any organization dealing with such data. One of the key components of HIPAA compliance is password requirements, which have been a point of debate for quite some time among security experts. Today, we’re zooming in on HIPAA and its password requirements, outlining everything you need to know. Without further ado, let’s jump in.
What is HIPAA?
In 1996, the US Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to enact procedures that ensure the confidentiality of electronic protected health information (ePHI). With the act in place, all organizations that create and maintain ePHI must adhere to the mandated HIPAA regulations. ePHI entails all the personal data that could be used to identify an individual. It includes everything from your date of birth to medical records.
Which entities must comply with HIPAA regulations?
According to HIPAA, the regulations outlined in the act affect any organization that manages any ePHI. These are known as Covered Entities and include any healthcare or health insurance providers as well as associates of such organizations. So, for instance, any company that provides services such as IT security or infrastructure to the aforementioned entities are also obligated to follow HIPAA regulations to ensure the security of ePHI.
What are the HIPAA password requirements?
The HIPAA password requirements are detailed in the Administrative Safeguards of the HIPAA Security Rule. In this context, the aim of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information” by implementing “procedures for creating, changing and safeguarding passwords”.
However, the HIPAA password requirements are rather vague in certain respects to allow flexibility for organizations of different sizes and means. The general idea is that organizations need to display a good faith effort to follow the HIPAA regulations using a commercially reasonable best practice.
It is also essential to note that the HIPAA password requirements are “addressable”, meaning that Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.
A suitable alternative to passwords is the use of biometric methods of identification, such as fingerprints or facial recognition software. However, until these technologies are more widely available and are completely secure, passwords are here to stay.
How to make your password HIPAA-compliant?
Although HIPAA does not list any specific actions that your organization can or must take to ensure password security, there are practices that any organization regardless of its size can keep in mind.
When it comes to best practices for password security, organizations can look for help at the National Institute of Standards and Technology (NIST). NIST regularly releases security insights and guidance that provide best practices for organizations of all sizes and means.
Let’s have a look at a few recommendations from NIST and your friendly folks here at NordPass to comply with HIPAA requirements.
Use at least 8 characters
The NIST notes that any password containing less than 8 characters can be considered vulnerable. At NordPass, we recommend using at least 12 characters for your passwords, which should include special symbols, numbers, as well as capital and lowercase letters.
Avoid password hints
While hints can be a great way to remember your password, they also put you and your organization at risk. Hints such as “my last name” or “my anniversary” can make a hacker’s life much easier.
NIST, as well as security experts at NordPass, recommend vetting your passwords before using them to protect any organization accounts. Check out our list of the 200 worst passwords of 2021 to make sure that none of your passwords are on it.
Deploy a password manager
Deploying a corporate password manager compliant with HIPAA for your organization could be a game changer. Not only does it provide a way to securely store all your passwords, but it also allows for secure sharing among your team. Password managers such as NordPass often come with additional security features that can boost your overall cybersecurity posture.