Unless an alternative, equally effective security solution is employed, the HIPAA password requirements mandate that procedures for creating, updating, and protecting passwords must be put in place.
We believe that implementing two factor authentication is the best approach to comply with the HIPAA password standards for password security.
The Administrative Safeguards of the HIPAA Security Rule contain the HIPAA password requirements. 164.308(a)(5) of the Security Awareness and Training provision requires Covered Entities to implement “procedures for creating, updating, and preserving passwords.”
Failure to comply with HIPAA exposes a healthcare business to the possibility of a data breach, as well as substantial fines.
Organizations are recommended to pay particular attention to HIPAA privacy and security regulations when developing password policy to prevent hefty fines or serious security risks.
In the sections below, we’ll go over some of the procedures you may take to keep your passwords compliant with NIST and HIPAA standards.
- A minimum of eight characters and a maximum of 64 characters are required.
- All special characters are available to use, although there is no obligation to do so.
- Characters that are consecutive and repeated should be limited (e.g. 12345 or aaaaaa).
- Passwords that are context specific should be limited (e.g. the name of the site, etc.).
- Restrict commonly used passwords (e.g. p@ssw0rd, etc.) and dictionary words.
Focus on User Experience to Improve Password Security
Cybersecurity and user experience are often at odds with each other. But the NIST password guidelines are pretty clear: strong password security is rooted in a streamlined user experience.
HIPAA compliance, like most other types of compliance, is based on a set of general rules “Passwords must be changed every 30 days. When computers are left idle for 60 seconds, they must be locked”.