Healthcare is a high value target for hackers given the nature of the data and its poor security stance – ranking the sixth lowest, in security performance across industries. Passwords are the first line of defence against cyber attacks and poorly chosen passwords can result in unauthorized access. The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect against unauthorized access.
While HIPAA Privacy Rules do not have explicit requirements on user passwords, there is a strong emphasis on the storage of and access control to electronic protected health information (ePHI). Sections 164.308(a)(5)(i) and 164.308(a)(5)(ii)(D) require that the following plan is in place when appropriate
- A security awareness and training program for all members of its workforce
- Procedures for creating, changing, and safeguarding passwords
HIPAA may be ambiguous but healthcare organizations are subject to the full extent of its rules. The burden falls on healthcare IT to figure out how to put these into practice.
HIPAA and passwords
Here are our recommendations on how to improve password security to follow HIPAA Privacy Rules:
Block dictionary passwords. As long as users continue using common passwords, dictionary attacks will continue to work. It is important to block common passwords, passwords specific to your organizations and known leaked passwords. A password blacklist stops a user from choosing a compromised password.
- Enable passphrases. The length of the password is the most effective defence against a brute-force attack. A passphrase is a sentence or phrase, with or without spaces, typically more than 20 characters longer. The words making up the passphrases should be meaningless together to make them less susceptible to social engineering.
- Skip password complexity. If you have implemented the above, you can relax complexity requirements.
- Password expiration. While HIPAA does not specify password expiration, NIST, NCSC, and Microsoft are now advising against forcing regular password expiration without reason. The only time password expiration can minimize attacks is when hackers gain access to your network through compromised passwords – a password reset can limit the use of these passwords. If you are enforcing strong passwords and enabling multi-factor authentication, you have little to gain from a password expiration. If you haven’t implemented these safety nets, continue to use password expiration as a way to check passwords against dictionary lists when a new major leak occurs.
- Password reset. If employees are engaging in high-risk behaviors such as sharing passwords, posting passwords on workstations or if you suspect that a password has been compromised, force a password change immediately.
- Educate users and healthcare staff. Make sure everyone that comes in contact with PHI learns good password hygiene such as changing default passwords immediately after being assigned a new application, not sharing passwords with anyone, not reusing passwords between different systems and changing passwords whenever compromised.