The Health Insurance Portability and Accountability Act (HIPAA) describes how organizations must keep protected health information (PHI) secure. So how exactly are employee passwords supposed to be handled in light of HIPAA?
It’s important to understand how HIPAA handles the topic of passwords in order for organizations to properly implement the guidelines in their data protection strategies.
What Organizations are Impacted by HIPAA?
HIPAA is designed to establish industry-wide regulations for protecting confidential healthcare information. Any healthcare organization or business associate that handles protected health information (PHI) must be compliant.
The same organizations are responsible for using proper password policies for their employees.
- Healthcare Providers – physicians, podiatrists, dentists, surgeons, laboratory technicians, hospitals, optometrists, clinics, nursing homes
- Health Payers – HMOs, company health plans, Medicare, Medicaid, employers and institutions that handle PHI while enrolling employees or members in a health plan
- Healthcare Clearinghouses – billing service providers, health management information systems
- Healthcare Business Associates – data processing organizations, data transmission providers, data storage firms, medical equipment vendors, external auditors
Why Are Employee Passwords So Important for Healthcare?
Password security is a significant issue for hospitals and healthcare providers. According to Clearwater CyberIntelligence Institute, user authentication is the most common cyber risk for hospitals and health systems. Password reuse paired with the use of exposed passwords or healthcare staff sharing passwords; tends to be the largest password vulnerabilities within the healthcare industry.
A recent Dashlane report found that 45% of admins are not concerned about password policies in the workplace. According to Google, 65% of people reuse passwords across multiple, if not all, sites and systems- including patient portals and healthcare employer systems. A separate Dashlane study revealed that 46% of employees use personal passwords to access corporate IT resources. More often than not, such credentials are weak and fail to meet bare minimum requirements to ensure enhanced protection of crucial business information.
Surprisingly, the same survey showed that more than 70% of the workforce is not concerned about causing a data breach even though they are using exposed credentials. Additionally, in the healthcare provider industry, password sharing is a significant issue. According to a Healthcare Informatics Research survey, 73.6% of surveyed hospital staff had obtained the password of another medical staff member.
To properly secure protected health information, organizations must ensure all employee accessible systems and networks are secure.
Where Does HIPAA Talk About Passwords?
HIPAA features a provision for the creation, deployment, and management of an effective password strategy. Passwords are specifically regulated under the HIPAA’s Administrative provisions, in section 164.308(a)(5)(ii)(D)
In the section for “Password Management,” you’ll find a reference to the “Procedures for creating, changing, and safeguarding passwords.”
The regulation requires organizations to:
- Provide passwords for access
- Train the workforce on ways to safeguard password information
- Establish guidelines to create and change passwords in a periodic cycle
To achieve the above-listed goals, HIPAA covered entities, and other vendors can assess their compliance using the following sample questions:
- Do we have policies and procedures that restrict employees from sharing passwords?
- Is the workforce encouraged to commit passwords to memory?
- Do employees take common precautions, such as not writing down their secret codes on papers visible to others, while using passwords?
This is helpful guidance, but we can see HIPAA isn’t giving explicit instructions. HIPAA requires organizations to have some kind of password plan in place but does not specify the details of the plan.
Looking to Industry Standards
In some sections, HIPAA password regulations are intentionally vague to allow innovation and flexibility of policies and procedures adopted by various users.
The specific approach can be different based on the type of organization and the information they hold. A small medical practice and a large healthcare provider don’t need to follow the same procedures.
However, there are good standards that all organizations should look to. For instance, the National Institute of Standards and Technology (NIST) and the HITRUST Alliance publish security guidelines that highlight suitable measures organizations can implement to enhance their cybersecurity postures. Some of the NIST SP 800-63B and HITRUST measures that can be followed to meet password program requirements include:
- Minimum characters obligation: NIST recommends the use of a minimum of 8 characters in a password
- Use of memorable passwords: passwords can be satisfactorily unique and memorable. In this case, organizations will not enforce complicated password policies that lead to the reuse of credentials across multiple accounts
- Avoid the use of common password options: organizations should restrict the use of common passwords, such as ‘admin,’ ‘1234,’ ‘qwerty,’ ‘qawsedrf,’ etc.
- Password fields and hidden field in a form: passwords should not be displayed while entering on forms
- Password reset mechanism: in case of a possible system breach, users are required to reset their passwords after their identity verification
- Encryption: passwords should always be encrypted in storage and during transmission
- Screening for compromised passwords: healthcare organizations can proactively screen employee and patient portal passwords to detect any exposed passwords and then enable a password reset or notification.
- Employee awareness training: organizations should provide practical tips and tactics for employees to understand password security. For instance, lack of employee training on password administration was exploited in a data breach at Sony Pictures Entertainment. The firm kept crucial passwords in a folder named “Passwords,” which presumably an untrained employee leaked to malicious actors.
- Change of passwords in periodic cycles: HIPAA dictates that healthcare organizations should enforce a periodic password reset regularly for staff. This periodic password reset policy is being heavily debated by security experts, but for now, it remains part of HITRUST.
HIPAA recommends an appropriate authentication approach for confidential data access. It also requires management and training around that access.
Many hospitals and healthcare providers use Enzoic to screen staff accounts for not only compromised passwords, but also common and weak passwords. With fuzzy matching, password similarity and root password detection, Enzoic reinforces proper password hygiene without impeding access in clinical settings. It also helps healthcare providers with NIST 800-63b compliance.
Josh Horwitz, COO, Enzoic