DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses best practices for password selection. While HIPAA itself does not contain password selection requirements or guidelines, the National Institute for Standards and Technology (NIST) provides such guidance, which is discussed here.
Where Does HIPAA Discuss Passwords?
The HIPAA Security Rule defines a password as "confidential authentication information composed of a string of characters."
The HIPAA Security Rule mentions passwords (or, as they are increasingly referred to now, passphrases) in its "administrative safeguards" security awareness and training standard. Under this standard, covered entities and business associates must implement password management. Password management is defined as "Procedures for creating, changing, and safeguarding passwords." Guidance for this requirement provides that workforce training should "address topics such as not sharing passwords with other workforce members or not writing down passwords and leaving them in open areas."
The phrase "password" is not otherwise mentioned in the Security Rule. Fortunately, guidance from the National Institute for Standards and Technology on password creation can be use to ensure creation of a strong password.
What are the NIST Password Guidelines?
As noted above, the HIPAA regulations do not contain specific requirements for passwords - for how many characters passwords should contain, for whether special symbols should be used (or should not be used), and so forth. The federal agency known as NIST has published a document entitled "Digital Identity Guidelines" (NIST Special Publication 800-63B). This publication contains password guidelines that are regarded as "best practices" for creating a strong password. Covered entities and business associates should create strong passwords.
NIST recommends the following measures for creating strong passwords:
- Use a minimum of eight (8) characters, with longer passwords being more secure
- Disallow or do not use sequences or repetitive characters, such as “12345” or “aaaaa”
- Disallow or do not use context-specific passwords, like the name of the site or company
- Disallow or do not use commonly used passwords, such as “password123” and “12345678”
- Disallow or do not use single dictionary words
- Disallow or do not use passwords that have been compromised previously.
In addition to following these guidelines for creating strong passwords, covered entities and business associates should follow these best practices:
- Workforce members should not share passwords with others
- If a workforce member suspects that their password has been compromised, the workforce member should change their password immediately and report the incident
- Workforce members should not reveal passwords over the phone or via email.
Additional password best practices include:
- Do not provide password hints
- Do not use another user’s username and password
- Do not write down usernames and passwords. Use a password manager instead.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article