HIPAA password requirements

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by the US Congress in 1996 to enact procedures that ensure the confidentiality, integrity, and availability of protected health information which is stored on electronic devices (ePHI). Any organization that creates, receives, maintains, interacts with, stores, or transmits ePHI must adhere to the mandated HIPAA regulations.

HIPAA aims to protect individuals' medical records and other personal health and payment information against unauthorized access, theft, or loss. The mandates of HIPAA are applicable to all healthcare institutions, organizations, and business entities handling ePHI.

Why does HIPAA include password requirements?

A password—being the basic securing means for digital information—is normally used by organizations to safeguard ePHI. HIPAA addresses password requirements as a part of its regulations to indicate the level of security that organizations should practice to protect ePHI from potential threats. Without unified password mandates, organizations would follow different standards for securing their ePHI, which might put some data more at risk than others.

What are the HIPAA password requirements?

Section § 164.308(a)(5)(ii)(D) of HIPAA mandates that admins must enforce:

Procedures for creating, changing, and safeguarding passwords [Password management (addressable requirement)].

This HIPAA Security Rule has always been a point of debate as it gives no specific details on password complexity and deems password management as "addressable." It is believed that this technology-neutral description of password management is intentional to permit flexibility as security best practices keep evolving with time. Many healthcare organizations use passwords as their first and sometimes only line of defense against cyberattacks.

Notably, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) looks to the National Institute of Standards and Technology (NIST) for guidance, so it's prudent that other healthcare organizations do the same. A NIST-compliant password should:

1. Include American Standard Code for Information Interchange (ASCII) characters.
2. Be a minimum of 8 and a maximum of 64 characters.
3. Not be easy to guess like "Password@123" or easily compromised from data hoarding sites. Learn more about compromised passwords.
4. Not be identical to the previous ten passwords.
5. Not be prompted to users with the help of password hints.
6. Include other authentication methods and not be the only guarding factor of ePHI.
7. Be reset only if it's compromised or forgotten.

Make your organization HIPAA-compliant with ADSelfService Plus

ADSelfService Plus offers advanced password policy and MFA settings that help your organization comply with all the above requirements. You can create a custom password policy that meets HIPAA's requirements and enforce it on all or specific AD users based on their domain, OU, or group memberships. Below are some of the settings that ADSelfService Plus offers:

1. Ban weak passwords: Blacklist leaked or weak AD passwords, patterns, and palindromes.
2. Set a custom password length: Enforce longer passwords by specifying the minimum password length.
3. Enforce password history: Ensure password strength by enforcing password history rules during native password resets in the Active Directory Users and Computers (ADUC) console.
4. Mandate MFA for users: Secure user access to ePHI by enabling MFA for machines, applications, VPNs, RDPs, and OWA. Choose from a range of 19 different MFA authenticators to verify users' identities.

Benefits of using ADSelfService Plus to comply with HIPAA mandates

1. Increased password security: Enforce passphrases and restrict consecutively repeated characters and common character types from passwords. Enable the password strength meter to give users instant visual feedback on password strength when they change or reset their AD passwords.
2. Fine-grained flexibility: Create different password policies for different types of users in the organization according to their role and level of access to sensitive data.
3. Compliance with regulatory standards: Ensure that your organization complies not only with HIPAA standards, but also with NIST SP 800-63B, the PCI DSS, Essential Eight, CJIS, SOX, and the GDPR compliance mandates.