The Health Insurance Portability and Accountability Act (HIPAA) describes how organizations must keep protected health information (PHI) secure. So how exactly are employee passwords supposed to be handled in light of HIPAA?
It’s important to understand how HIPAA handles the topic of passwords in order for organizations to properly implement the guidelines in their data protection strategies.
HIPAA is designed to establish industry-wide regulations for protecting confidential healthcare information. Any healthcare organization or business associate that handles protected health information (PHI) must be compliant.
The same organizations are responsible for using proper password policies for their employees.
Password security is a significant issue for hospitals and healthcare providers. According to Clearwater CyberIntelligence Institute, user authentication is the most common cyber risk for hospitals and health systems. Password reuse paired with the use of exposed passwords or healthcare staff sharing passwords; tends to be the largest password vulnerability within the healthcare industry.
A recent Dashlane report found that 45% of admins are not concerned about password policies in the workplace. According to Google, 65% of people reuse passwords across multiple, if not all, sites and systems- including patient portals and healthcare employer systems. A separate Dashlane study revealed that 46% of employees use personal passwords to access corporate IT resources. More often than not, such credentials are weak and fail to meet bare minimum requirements to ensure enhanced protection of crucial business information.
Surprisingly, the same survey showed that more than 70% of the workforce is not concerned about causing a data breach even though they are using exposed credentials. Additionally, in the healthcare provider industry, password sharing is a significant issue. According to a Healthcare Informatics Research survey, 73.6% of surveyed hospital staff had obtained the password of another medical staff member.
To properly secure protected health information, organizations must ensure all employee accessible systems and networks are secure.
HIPAA features a provision for the creation, deployment, and management of an effective password strategy. Passwords are specifically regulated under the HIPAA’s Administrative provisions, in section 164.308(a)(5)(ii)(D)
In the section for “Password Management,” you’ll find a reference to the “Procedures for creating, changing, and safeguarding passwords.”
The regulation requires organizations to:
To achieve the above-listed goals, HIPAA covered entities, and other vendors can assess their compliance using the following sample questions:
This is helpful guidance, but we can see HIPAA isn’t giving explicit instructions. HIPAA requires organizations to have some kind of password plan in place but does not specify the details of the plan.
In some sections, HIPAA password regulations are intentionally vague to allow innovation and flexibility of policies and procedures adopted by various users.
The specific approach can be different based on the type of organization and the information they hold. A small medical practice and a large healthcare provider don’t need to follow the same procedures.
However, there are good standards that all organizations should look to. For instance, the National Institute of Standards and Technology (NIST) and the HITRUST Alliance publish security guidelines that highlight suitable measures organizations can implement to enhance their cybersecurity postures. Some of the NIST SP 800-63B and HITRUST measures that can be followed to meet password program requirements include:
HIPAA recommends an appropriate authentication approach for confidential data access. It also requires management and training around that access.
While HIPAA is not overly prescriptive around password policies, organizations can refer to NIST password guidelines and HITRUST for technical guidance on implementing secure password policies.
Many hospitals and healthcare providers use Enzoic to screen staff accounts for not only compromised passwords, but also common and weak passwords. With fuzzy matching, password similarity and root password detection, Enzoic reinforces proper password hygiene without impeding access in clinical settings. It also helps healthcare providers with NIST 800-63b compliance.