Password Management: 5 Best Practices for Compliant Environments
By Stephen Trout, , HIPAA Blog, Resources

Good security habits can sometimes feel like extra work –

like when you have to jump out of bed to ensure your doors are locked, two seconds after you’ve clicked off the light. 

Why do you do it? Because you know the little extra effort isn’t too high a price for keeping an intruder out, your family safe, and promoting a restful night’s sleep.  

Similarly, HIPAA regulations aren’t there to be a nuisance or steal your time; implementing strong physical and technical protections (as mandated by the HIPAA Security Rule) is all about preserving the welfare of real patients – not to mention your entire environment and organization.  

One of the most basic HIPAA compliance protections then – not unlike the keys to the locks on your front door – is strong passwords. How you manage your keys makes a difference.

Effective password management can mean the difference between a secure environment with safe patients, and one in which hackers have their way.

The Colonial Pipeline attack in April of 2021 was a clear example of what can happen when a hacker steals the keys; a single, compromised password let hackers “in the door” and prompted the shutdown of the largest fuel pipeline in the U.S.

For healthcare data, being forced “offline” (out of your own house) may come at the expense of critical care – to the detriment of human lives.

Unfortunately, many companies continue to maintain little or no password management practices, effectively making the keys much easier to steal.

Why Password Management Matters

Like our locked door example, it matters – ultimately to those you’re protecting – who has access to the keys.

If you suspect that someone has illegitimately copied the key to your house, what do you do? Of course, you change the locks immediately, and use a different key! 

This seems basic enough; yet, poor password practices – leading to weak or stolen passwords – continue to be a primary cause of data breaches.

Such practices include: 

  • Choosing passwords that are weak and easily guessable with a little investigation
  • Scribbling passwords on Post-its which may be found and copied
  • Offering no employee training on social engineering/phishing attacks that seek your passwords
  • Failing to address workforce personnel who may rotate to another department, or depart and take their passwords with them

You need to know that even if an attacker isn’t able to easily guess a user’s password, they have other means.

Brute-forcing is a technique hackers use to repeatedly query possible passwords via an automated system that can quickly generate character combinations.

Just as forcing open a poorly constructed door with a cheap lock on it is easily accomplished, in the same way, a poor password may allow your environment to be easily broken into, or “brute-forced” open.

These and other reasons are why HIPAA regulations require covered entities to have sound procedures for password creation, changes, and safeguards. Strong passwords make a difference!

(Note: HIPAA requirements don’t specify precise password length, expiration, complexity, and strength, however. We’ll briefly touch on these things below).

Best Practices

How your password management is specifically applied comes down to incorporating the best practices for your environment.

“Data sensitivity” is the prime criterion that determines how often this process should occur; the rule of thumb is, the more sensitive the data, the more stringent the practices should be. 

For HIPAA compliance, “sensitive” information like electronic medical records (EMR), protected health information (PHI), and personally identifiable information (PII), should require a higher level of password protection as compared to “non-sensitive” information.

This means that for HIPAA-hosting environments, the size of your business is really less important than the types of clients being managed.

A good HIPAA hosting company will therefore utilize password management to establish access rules for your environment; it behooves you to maintain those rules to preserve compliance.

With this in mind, here are 5 best practices for HIPAA compliance that will greatly improve your password security, and thus, the security of your environment:

1. Use a Password Manager 

Many password manager apps are free, allowing you to store dozens of passwords so you don’t have to remember them. Many of these will automatically sign you in when you log on.

The better ones utilize strong encryption (a must-have), sync with your devices so you have access from anywhere, and provide two-factor authentication for an added layer of security. 

Enterprise-level password managers are available at a reasonable price and can be especially helpful for storing your privileged credentials/access to company secrets, as well as limiting that access to only those who need it.

Keeper and Lastpass are excellent choices and integrate with most popular platforms.

2. Use a Long, Strong Password

Why make it easy for hackers to guess your password, with alphabet sequences (12345) or sports names (like ‘baseball) or even your favorite pet’s name?

Maintaining strong passwords calls for using longer, more complex ones – at least eight characters consisting of both upper and lowercase letters, numbers, and symbols. 

In fact, the US National Institute of Standards and Technology (NIST) Special Publication 800-63, Digital Identity Guidelines now says that the best practice is to use up to 64 characters, including spaces.

Password monitoring will flag weak passwords; also, if you’re using a password manager, you won’t be tempted to write them down.

3. Use a Unique Password for Each Account  

Having a unique “key” for different entryways into your home is a smart idea; the same is true for your HIPAA-compliant hosting environment.

That way even if one of your passwords is divulged, you prevent the possibility of someone having access to all your accounts. 

Unique ids are also essential for logging purposes, helping to distinguish which user performed certain activities in your environment.

Also, be sure to change the default passwords that are provided with devices and software on your network!

4.  Set Appropriate User-Access Controls

It’s HIPAA policy (164.312 (a)) for covered entities to have technical policies and procedures limiting access to systems with PHI.

As mentioned, these Access Control specifications include issuing unique user identifications and passwords to only those who truly need them and monitoring login attempts.  

By limiting the number of login attempts within a set period of time, locking users out, and requiring administrative interaction, covered entities can ensure a greater level of security for the protection of medical data. 

These strong password practices also extend to your business associates, including the developer who may be designing a slick new healthcare app for the covered entity.

5. Use Two-Factor Authentication for Added Protection

At HIPAA Vault, we regularly set up users with two-factor authentication as an excellent way to protect against a single point of failure with their passwords.

The use of a one-time, generated code sent only to you helps avoid a single point of failure and provides that extra layer of security.

Should your password happen to fall into the wrong hands, or is discovered through Brute-Force or phishing attacks (social engineering), the hacker will still need the code to get into your system.   

So what about password changes?

Should they happen every six months (as some suggest), or even every 90, or 120 days?

In fact, HIPAA guidelines only state that frequent password changes are required, and also mandate the appropriate storage and management of such passwords (without specifying specific tools, since technology changes). 

Yet while experts are divided (with new NIST guidance advocating sticking with a strong password for a longer time, based on the tendency of users to apply “a set of common transformations, such as increasing a number in the password” when making changes), we do believe that organizations with privileged passwords should change them more frequently.

The reason is simple: more time with unchanged passwords gives hackers more time to crack them. And if you’re using the above best practices (including a password manager) this shouldn’t be a problem.   

The Bottom Line: Password Management Protects Patients

Failure to maintain passwords can damage both our patient’s and business reputations.

HIPAA violations may bring significant fines, lawsuits, and loss of ability to practice. With the stakes so high, it’s important to apply good password management to help protect PHI.   

While ultimately it’s your Compliance Officer’s responsibility to enforce password management and regulate your users’ bad habits, ensuring that your entire staff is trained and that your users are consistently using good password practices is a matter that should concern everyone.

Like that decision to jump out of bed to ensure your doors are locked, the little extra effort will bring peace of mind that your patients are well protected!

HIPAA Vault is a leading provider of HIPAA compliant solutions, including HIPAA WordPress, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.