Password Management: 5 Best Practices for Compliant Environments
By Stephen Trout, , HIPAA Blog, Resources

Good security habits can sometimes feel like extra work – like when you have to jump out of bed to ensure your doors are locked, two seconds after you’ve clicked off the light. 

Why do you do it? Because you know the extra effort isn’t too high a price for keeping an intruder out, your family safe, and helping everyone to sleep more soundly.  

Similarly, HIPAA regulations aren’t there to be a nuisance or steal your time; implementing strong physical and technical protections (as mandated by the HIPAA Security Rule) for medical data is all about preserving the welfare of real patients – not to mention your entire environment and organization.  

One critical protection is to practice good password management. Passwords are like the keys to your house; they allow access for a select, approved group, and are designed to keep out those who have no right to come in and steal your stuff.

Password management will benefit all who handle sensitive, protective health information (PHI), including physicians who run their own practices and their business associates. It not only helps the hosting company establish access rules, but extends to the developer who may be designing a slick new healthcare app for the covered entity (ie, an organization subject to HIPAA because they handle, store, or transmit PHI) as well. All are mandated by HIPAA to protect and preserve the privacy and integrity of PHI. 

Why Password Management?

“Treat your password like your toothbrush; don’t let anyone else use it and get a new one every six months.” – Clifford Stoll 

Like our locked door example, it matters (ultimately to those you’re protecting) who has access to the keys. If you suspect that someone has illegitimately made a copy, what do you do? Of course, you change the locks. 

Unfortunately, many companies continue to maintain little or no password management practices, effectively making the keys much easier to steal. This is why weak or stolen passwords continue to be a primary cause of data breaches. These (poor) practices include: 

  • Choosing passwords that are weak and easily guessable with just a little investigation
  • Enabling passwords to be lost or stolen by allowing scribbled on post-its which are easily found and copied, to offering no training on social engineering/phishing attacks
  • Failing to address workforce personnel who may rotate or depart and take their passwords with them

Even if an attacker isn’t able to easily guess a user’s password, they have other means. A technique of repeatedly querying possible passwords via an automated system that can quickly generate character combinations (known as “Brute Forcing”) can often help hackers discover even a strong, well-constructed password. It’s like using a cheap lock on your door that’s easily picked or forced open. Stronger passwords do make a difference.

These and other reasons are why HIPAA regulations require covered entities to have sound procedures for password creation, changes, and safeguards. (Note: HIPAA requirements don’t specify precise password length, expiration, complexity, and strength, however. We’ll briefly touch on these things below).

Best Practices

How password management is specifically applied comes down to incorporating the best practices for your environment. Data “sensitivity” is the prime criteria that determines how often this process should occur; the more sensitive the data, the more stringent the practices should be. 

This means that for hosting environments, the size of the business is really less important than the types of clients being managed. For HIPAA compliance, “sensitive” information like electronic medical records (EMR), protected health information (PHI), and personally identifiable information (PII), should require a higher level of password protection as compared to “non-sensitive” information.

With that in mind, here are 5 best practices for HIPAA compliance that will greatly improve your password security, and therefore the security of your environment:

1. Use a Password Manager 

Many password manager apps are free, allowing you to store dozens of passwords so you don’t have to remember them, and some will automatically sign you in when you log on. The better ones utilize strong encryption (a must-have), sync with your devices so you have access from anywhere, and provide two-factor authentication for an added layer of security. 

Enterprise-level password managers are available at a reasonable price and can be especially helpful for storing your privileged credentials/access to company secrets, as well as limiting that access to only those who need it. Keeper and Lastpass are excellent choices and integrate with most popular platforms.

2. Use a Long, Strong Password

Why make it easy for hackers to guess your password, with alphabet sequences (12345) or sports names (like ‘baseball) or even your favorite pet’s name? Maintaining strong passwords calls for using longer, more complex ones – at least eight characters made up of both upper and lowercase letters, numbers, and symbols. 

In fact, the US National Institute of Standards and Technology (NIST) Special Publication 800-63, Digital Identity Guidelines now says that the best practice is to use up to 64 characters, including spaces.

3. Use a Unique Password for Each Account  

Having a unique “key” for different entryways into your environment is a smart idea; that way even if one of your passwords is divulged, you prevent the possibility of someone having access to all your accounts. 

Also, if it’s memorable enough (or you’re using a password manager), you won’t be tempted to write it down.

4.  Set Appropriate User-Access Controls

It’s HIPAA policy (164.312 (a)) for covered entities to have technical policies and procedures limiting access to systems with PHI. These Access Control specifications include issuing unique user identifications and passwords to only those who truly need them and monitoring login attempts.  

Also, by limiting the number of login attempts within a set period of time, locking users out, and requiring administrative interaction, covered entities can ensure a greater level of security for the protection of medical data. 

5. Use Two-Factor Authentication for Added Protection

At HIPAA Vault, we regularly set up users with two-factor authentication as an excellent way to protect against a single point of failure with their passwords. The use of a one-time, generated code sent only to you helps provide the extra layer of security you need should your password happen to fall into the wrong hands, whether through Brute-Force, phishing attacks (social engineering), or other means.  

So what about password changes? Should they happen every six months (as the quote above suggests), or even every 90, 120, or 180 days? In fact, HIPAA guidelines only state that frequent password changes are required, and also mandate the appropriate storage and management of such passwords (without specifying specific tools, since technology changes). 

Yet while experts are divided (with new NIST guidance advocating sticking with a strong password for a longer time, based on the tendency of users to apply “a set of common transformations such as increasing a number in the password” when making changes, etc.), we do believe that organizations with privileged passwords should change them more frequently.

The reason is simple: more time with unchanged passwords gives hackers more time to crack them. And if you’re using the above best practices (including a password manager) this shouldn’t be a problem.   


Failure to maintain passwords can damage both our patient’s and business reputations. HIPAA violations may bring significant fines, lawsuits, and loss of ability to practice. With the stakes so high, it’s important to apply good password management to help protect PHI.   

While ultimately it’s the Compliance Officer’s responsibility to enforce password management and regulate your users’ bad habits, ensuring that your entire staff is trained and your users are consistently using good password practices will make the little extra work well worth it in the end. 

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.