HIPAA Password Protection Management Best Practices

By HIPAA Vault

When it comes to cracking a password, there are a few common approaches. The first is password guessing: an attacker comes across a user account and tries a few common passwords or combinations. Surprisingly, this tactic is often successful. The inherent nature of passwords requires them to be remembered easily, and as such, casual users will often pick a simple password over a secure one, purely in the pursuit of convenience. For this reason, when dealing with HIPAA data guidelines and implementing HIPAA password protection methods, frequent password changes are required, and even mandates the storage and management of such passwords. It is the Compliance Officer’s responsibility to regulate users’ bad habits such as the use of simple password management.

However, there is a second, more systematic, approach to password cracking known as “brute forcing” that is both more complicated and more dangerous. An attacker may not be able to guess a user’s password, but by repeatedly querying the information with an automated system, it is possible to discover the password, even a strong, well-constructed one. HIPAA requires security training to inform users of these types of threats, and to convey the importance of not only using a strong password to begin with, but rotating passwords on a frequent basis. By limiting the amount of login attempts within a set period of time, by locking users out, and requiring administrative interaction, covered entities can ensure a greater level of security for the protection of medical data.

In addition to security “best practices”, controlling and monitoring login attempts are required per the HIPAA Security Rule. In addition to preventing password “guessing” and brute force attacks, access monitoring is used as an audit trail in the event that a question is raised. HIPAA password protection management requires “Procedures for monitoring log-in attempts and reporting discrepancies”, specifically keeping track of when users logged in, when they logged out, and if they failed to do so successfully. In so doing, the idea is that any interaction with protected health information (PHI) can be tied to a specific user in case of dispute in the event of a breach. Despite the inconvenience or difficulty of implementing log-in controls, it is both a good idea and required by HIPAA.

Click here to learn more about our HIPAA protected email solutions.


Our certifications