However, there is a second, more systematic, approach to password cracking known as “brute forcing” that is both more complicated and more dangerous. An attacker may not be able to guess a user’s password, but by repeatedly querying the information with an automated system, it is possible to discover the password, even a strong, well-constructed one. HIPAA requires security training to inform users of these types of threats, and to convey the importance of not only using a strong password to begin with, but rotating passwords on a frequent basis. By limiting the amount of login attempts within a set period of time, by locking users out, and requiring administrative interaction, covered entities can ensure a greater level of security for the protection of medical data.
In addition to security best practices, controlling and monitoring login attempts are required per the HIPAA Security Rule. In addition to preventing password guessing and brute force attacks, access monitoring is used as an audit trail in the event that a question is raised. HIPAA provisions require “Procedures for monitoring log-in attempts and reporting discrepancies”, specifically keeping track of when users logged in, when they logged out, and if they failed to do so successfully. In so doing, the idea is that any interaction with protected health information (PHI) can be tied to a specific user in case of dispute in the event of a breach. Despite the inconvenience or difficulty of implementing log-in controls, it is both a good idea and required by HIPAA.