HIPAA Risk Assessments

HIPAA risk assessments, though often tedious, are a critical part of ensuring HIPAA compliance. The Privacy Rule, created in 2003 to ensure that a patient’s private health data is only accessed by authorised personnel, was the first part of HIPAA that required such risk assessments. However, it has since been extended to include other safeguards required under the HIPAA Security Rule.

The most recent update to HIPAA came in 2013 when the Omnibus Rule was established to update the Security Rule. Now, both covered entities (CEs) and their business associates are required to conduct risk assessments. They are also liable to pay fines for non-compliance.

Password Requirements

The Security Awareness and Training section of the Security Rule stipulates that CEs must have “procedures for creating, changing and safeguarding passwords”. However, this can be confusing, as even experts disagree the best password policies. It is accepted that secure passwords should have a mixture of upper- and lower-case characters, special characters and numbers. The disagreement instead lies in how frequently passwords should be changed, if at all.

Some claim that the best way to ensure HIPAA compliance is by changing a password at least every ninety days. Others argue that this is a waste, as if a breach were to occur a hacker could easily crack a password in a matter of minutes. Additionally, regularly changing passwords means they will likely be forgotten. Not only does this waste time, but it increases the likelihood that the password will be written down.

Experts do agree that password management tools are the best way to safeguard passwords whilst also being HIPAA-compliant. The passwords are saved in an encrypted format, so that even if the software is hacked, the passwords will not be able to be read by the hackers.

“Addressable Safeguards” and Alternatives

Confusingly, HIPAA regards passwords as “addressable” safeguards. This does not mean that they can be ignored or overlooked; it simply means that should the CE believe that an alternative method of protecting their data be more appropriate, they are free to use that method instead. Specifically, CEs can “implement one or more alternative security measures to accomplish the same purpose.”

The only requirement is that CEs “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. If CEs can prove that an alternative measure to passwords provides equal – or better – protection, they can implement these measures. The decision to do so, as well as the measure itself, must be carefully documented and reported to the Office for Civil Rights (OCR). The OCR is part of the Department of Health and Human Services.

Two-factor authentication is quickly rising in popularity as a means to replace passwords. When a person inputs their username and password, they will be sent a specifically-generated PIN number. This number is required to allow full access to the database. A new PIN is created for each log-on attempt, so even if a password is cracked by a cybercriminal they should not be able to access the database.

Due to this extra level of security, many healthcare providers have already implemented two-factor authentication. However, it is not yet used in the context of protecting PHI. Instead, it is used to comply with the Payment Card Industry Data Security Standard (PCI DSS) or the DEA´s Electronic Prescription for Controlled Substances Rules. Thus, its main use is in protecting credit care details.

It may appear that having to wait for a PIN number to be generated and sent to the recipient will slow workflows, but new technologies limit this disadvantage. Single Sign-Ons have been created for various healthcare technologies. Additionally, the PIN system means that passwords have to be changed less frequently.