Health Insurance Portability and Accountability Act Apps Blog
How to Comply with HIPAA Password Requirements
Posted On July 27, 2020
When a data break occurs, the loss of personally identifiable information can be very costly not only as a difficulty but can also lead to identity theft with greater results. In the healthcare sector such as hospitals, doctor surgeries, the results can be even graver considering the sensitive nature of the patient’s data.
HIPAA (Health Insurance Portability and Accountability Act) provide among other things, protection and data privacy rules for health care professionals to assist keep patient medical information secure. With the increase in data break particularly around the health care sector, compliant to HIPAA for health care services is important, but if you do not follow the guidelines, it could lead to financial and criminal penalties.
Poor password has been recognized as a significant factor in the increase of cyber attacks targeting healthcare sector. Under the HIPAA Security Rule, there are three main types of HIPAA standards to ensure confidentiality, integrity and security of patient data, which are administrative, technical, and physical safeguards, one of the first computer-related requirements, “process of creating, changing and protecting passwords.”
The key tenants of a protecting password policy as defined by NIST can be listed as:
Passwords are required for accounts that need to be protected
8 character minimum for a human-created password
6 character minimum for a system/service-created password
Support for 64 characters maximum length
No complexity requirements
No password expiration period
No password hints
All ASCII characters (all letters and special characters, including space) should be supported
Truncation of the password shall not be performed when processed
HIPAA law explains password safeguards as an “addressable” requirement. Perhaps, the use of two-factor authentication is more sufficient than frequently changing passwords, as it diminishes the likelihood of passwords being written down and lost. Thus, it is easier for companies to keep the reliability of PHI in a HIPAA-compliant fashion. However, as this is considered a substitute solution to passwords, CEs will need to carefully document their use of two-factor authentication. Strong passwords are required under HIPAA as it helps in safety and security of individual’s data.