HIPAA password requirements call for a number of processes to be established to create, modify, and protect passwords if no other equally effective security option is in use. We advise the use of two factor authentication as the optimal method to comply with HIPAA password requirements.
The HIPAA Security Rule outlines the HIPAA password requirements as part of Administrative Safeguards. In the section dealing with Security Awareness and Training, §164.308(a)(5) states that covered entities are obliged to introduce “procedures for creating, changing and safeguarding passwords”.
Disagreement on optimal HIPAA Password Policy Compliance
While it is widely accepted that long passwords incorporating numbers, special characters, and both capital and lower case letters are the strongest and should be adopted, there is still disagreement concerning the optimal password policy to use for HIPAA compliance. There is also debate on how often new passwords should be introduced, if ever, and how best to protect them.
On whether passwords should be regularly changed, some experts say that making it mandatory to periodically choose a new password is a better for HIPAA compliance, while others argue that this is irrelevant as experienced hackers will simply use technical, sociological, or subversive methods to overcome password protection.
Optimal methods of protecting passwords are more readily agreed on. For HIPAA compliance, password management tools are widely recommended. While these can themselves be hacked, the program encrypts any passwords it saves, meaning hackers would be unable to make use of them.
HIPAA Password Requirements are Addressable Requirements
A key factor to keep in mind in relation to HIPAA password requirements is their status as an “addressable” requirement. This means that covered entities have the option to “implement one or more alternative security measures to accomplish the same purpose.”
For Administrative Safeguards, HIPAA password requirements should “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. As such, if the covered entity prefers to use a different system that fulfills the same purpose of creating changing, and protecting passwords, this would still be HIPAA compliant.
Two factor authentication meets this need more than adequately. As well as providing usernames and passwords, people trying to access PHI data would receive a PIN code via SMS or another notification system that they would enter to verify their identity. Every attempted access generates a new PIN code so even if an unauthorized individual had the password, they still would be unable to access the information.
Two Factor Authentication is Already Used by Medical Facilities
Some medical facilities already utilize two factor authentication to verify credit card payments in compliance with the Payment Card Industry Data Security Standard (PCI DSS) or to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.
While it has been pointed out that two factor authentication could have an impact on speed, progress being made in LDAP integration and Single Sign-on may help to alleviate this. As no PHI is sent by two factor authentication programs, they are HIPAA compliant and offer a simpler process to password requirement compliance than periodic password changes. In theory, no password would ever need to be changed.
Not forgetting that the password requirements are addressable safeguards, the case for adopting two-factor authentication as an alternative safety measure should be recorded for reference. This record can then be used to address risk analysis requirements and be supplied to auditors should the covered entity be investigated or face an audit.