Is it better for a HIPAA compliant password policy to require complex passwords or long passphrases?

Many cybersecurity experts believe long passphrases are more resilient to brute force attacks than shorter complex passwords. However, if users are susceptible to phishing attacks, it is more likely they will disclose easy-to-remember passphrases than complex passwords. Covered Entities should conduct a risk assessment to establish the best format to include in their HIPAA compliant password policy; and, if the conclusion is that complex passwords are more secure, implement a password manager with credential autofill capabilities so users do not have to remember their passwords.

The HIPAA Administrative Safeguards state procedures should be implemented for changing passwords, but NIST recommends against forced password changes. Which is right?

At the time the Administrative Safeguards were enacted, NIST was recommending passwords should be forcibly changed every sixty to ninety days. However, the agency subsequently revised its advice when it was found users were regularly amending only one character every password change – an unsafe practice if the original password is ever compromised. The current guidance is that passwords are only changed if there is evidence of compromise – which aligns with the Administrative Safeguards because the text of the clause doesn´t require forced periodic password changes.

If multi-factor authentication can add an extra layer of security to password-protected accounts and systems, why isn´t it a requirement of HIPAA?

When HIPPA was written, it was deliberately technology-neutral to remain relevant as technology advances. Therefore, HIPAA – in this case the Technical Safeguards of the Security Rule – mandates that verification and authentication measures are put in place, but doesn´t specify which ones to use. However, if a Covered Entity identifies a vulnerability in an access control measure that could be resolved by multi-factor authentication, and fails to implement it, HHS will be interested to know why MFA was not implemented if the Covered Entity subsequently experiences a data breach.

How is it possible to tell if a password has been compromised?

There are multiple databases on the Internet that list the most common passwords compromised in brute force attacks and some password managers integrate these databases into their solutions so users can perform health checks on their passwords. The health checks not only alert users to compromised passwords, but also those that are weak or re-used for other accounts. The health checks can also identify when username and password combinations are being used on unsecure websites or when an Internet account provides the option to add MFA.

Is it a violation of HIPAA if passwords are shared?

It is a violation of HIPAA if an employee of a Covered Entity or a Business Associate shares login credentials to systems containing ePHI because of the requirement “to verify a person or entity seeking access to ePHI is the one claimed”. However, there are circumstances in which passwords can be shared - provided they are not login credentials to systems containing ePHI. For example, marketing teams might share the passwords to corporate social media accounts, IT teams might share the passwords of cloud computing accounts, and finance teams share online banking logins.

What are the HIPAA Password Requirements?

HIPAA password requirements mean HIPAA Covered Entities and Business Associates must implement policies, procedures, and technical controls that provide unique user identification, authenticate users, and protect access to electronic protected health information, using password management practices that are reasonable and appropriate to the organization’s risk analysis under the HIPAA Security Rule.

The HIPAA Security Rule does not mandate a specific password length, complexity formula, or rotation interval. Password controls are implemented through the required standards for access control, person or entity authentication, workforce security, and security awareness and training. The security management process requires risk analysis and risk management actions that determine how authentication risks will be reduced in the organization’s environment, including risks from weak passwords, credential reuse, phishing, shared accounts, and unattended sessions.

Password policy should start with account structure and accountability. Each workforce member who accesses systems containing electronic protected health information should have a unique account, and shared credentials should be prohibited except for narrowly defined technical service accounts with restricted privileges and documented management. Access should be provisioned based on job role and terminated promptly when workforce members change roles or leave the organization.

Technical controls should prevent unauthorized access and reduce credential compromise impact. Controls can include minimum password length requirements, screening against common or breached passwords, rate limiting and lockout controls for repeated failed login attempts, session timeouts, and automatic logoff for unattended workstations. Passwords should be stored using secure one-way hashing and managed through centralized identity systems where feasible. Privileged accounts should be separated from standard accounts and restricted to approved administrative tasks.

Multi-factor authentication strengthens compliance for remote access and privileged access because it reduces reliance on passwords alone. While multi-factor authentication is not named as a standalone requirement in the HIPAA Security Rule, it is a common risk management control that supports person or entity authentication and access control standards, especially for email, virtual private networks, remote desktop, cloud applications, and administrative consoles that provide pathways to electronic protected health information.

Workforce procedures address common failure points. Training should cover password confidentiality, prohibition on sharing passwords, recognition of phishing attempts, and the requirement to report suspected compromise. Organizations should enforce a sanction policy for credential sharing and unauthorized access and should maintain incident response procedures for credential compromise, including account containment, credential resets, log review, and breach analysis under the HIPAA Breach Notification Rule when unsecured protected health information may have been compromised.

Password requirements extend to devices and applications that store electronic protected health information locally. Mobile devices and laptops should require authentication at startup and after inactivity, and local administrative passwords should be managed to prevent reuse and unauthorized elevation of privileges. Where applications cache tokens or synchronize content, controls should prevent access after separation from the workforce, including revocation of sessions and remote wipe capabilities when devices are managed.

An organization can demonstrate compliance by retaining written password and authentication policies, role-based access documentation, provisioning and termination records, security awareness training records, system configuration standards for lockout and logoff settings, and incident documentation for credential compromise events and remediation actions.

What are the HIPAA Password Requirements?

James Keogh