Why do I need to change my password ?

How often should my password be changed ?

When does my password expire ?

What about service accounts ?

These are common questions that are consistently asked from customers that become weary of password policies within their hosted environment. HIPAA regulations require that procedures exist for passwords to be created, changed, and safeguarded; Plus, users must be trained on proper password management. Such requirements are not set to specify password requirements such as password length, expiration, complexity, strength, etc.

There are many reasons why password protection is important:

  • Passwords are easily forgotten or lost
  • To avoid written information and passwords scribbled on post-its
  • Personnel rotation/departure

HIPAA Guidelines are not meant to be a structured response to answer password requirements; they are only ways to lead down the path towards proper compliance. How password management is applied within each environment comes down to incorporating best practices for the organization.

Best practices can be misunderstood: every 90 days, every 120 days, every 180 days ?

Enterprise-wide organizations generally gravitate towards the 90-day policy because of the consistency it provides. While other small-medium sized businesses draw closer to the 120-day or 180-day policies. The amount of time can vary based on the type of data that requires protection. In other words, the data “sensitivity” can become the prime factor that determines how often this process should occur.
For hosting environments, the size of the business matters not as compared to the types of clients that are being managed. As for HIPAA compliance, “sensitive” information, to include electronic medical records (EMR), protected health information (PHI), and personally identifiable information (PII), should require a higher level of password protection as compared to “non-sensitive” information.