Why do I need to change my password?

How often should my password be changed?

When does my password expire?

What about service accounts?

These are common questions asked by customers, especially those who may be weary of password policies within their hosted environment.

It’s important to know that HIPAA regulations require that procedures exist for passwords to be created, changed, and safeguarded; in addition, users must be trained on proper password management. (These requirements aren’t meant to specify password length, expiration, complexity, and strength, however.)

There are many reasons why password protection is important:

  • Passwords are easily forgotten or lost
  • To avoid written information and passwords scribbled on post-its
  • Personnel rotation/departure

Best Practices

How password-management is applied within each environment comes down to incorporating best practices. But what does “best practices” really mean? Is it every 90 days, 120 days, or every 180 days?

Enterprise-wide organizations generally gravitate towards the 90-day policy because of the consistency it provides, while other small-to-medium-sized businesses draw closer to the 120-day or 180-day policies. The amount of time can vary based on the type of data that requires protection. In other words, the data “sensitivity” can become the prime factor that determines how often this process should occur.

For hosting environments, the size of the business is less important than the types of clients that are being managed. As for HIPAA compliance, “sensitive” information that includes electronic medical records (EMR), protected health information (PHI), and personally identifiable information (PII), should require a higher level of password protection as compared to “non-sensitive” information.

Why is this so important? Because cracking your password is a primary means a hacker will use to breach your data.  

Know that when it comes to cracking your password, there are a few common approaches a hacker will use.

The first is password guessing: an attacker comes across a user account and tries a few common passwords or combinations. Surprisingly, this tactic is often successful.

The inherent nature of passwords requires them to be remembered easily, and as such, casual users will often pick a simple password over a secure one, purely in the pursuit of convenience.

For this reason, HIPAA data guidelines regarding the implementation of password protections state that frequent password changes are required, and mandates the storage and management of such passwords. It is the Compliance Officer’s responsibility to regulate users’ bad habits such as the use of simple password management.

However, there is a second, more systematic, approach to password cracking known as “brute forcing” that is more complicated and dangerous.

An attacker may not be able to guess a user’s password, but by repeatedly querying the information with an automated system, it is possible to discover the password, even a strong, well-constructed one.

HIPAA requires security training to inform users of these types of threats and to convey the importance of both a) using a strong password and b) rotating passwords on a frequent basis.

By limiting the number of login attempts within a set period of time, locking users out, and requiring administrative interaction, covered entities can ensure a greater level of security for the protection of medical data.

The Importance of Monitoring

Another aspect of HIPAA Security Rule “best practices” is to control and monitor login attempts. In addition to preventing password “guessing” and brute force attacks, access monitoring is used as an audit trail in the event that a question is raised.

HIPAA password protection management requires “Procedures for monitoring log-in attempts and reporting discrepancies”, specifically keeping track of when users logged in and when they logged out, and if they failed to do so successfully.

In so doing, the idea is that any interaction with protected health information (PHI) can be tied to a specific user in case of dispute in the event of a breach. Despite the inconvenience or difficulty of implementing log-in controls, it is both a good idea and required by HIPAA.

Click here to learn more about our HIPAA-protected email solutions.