It is a routine we follow every day. We enter usernames and passwords to access a variety of websites and applications, such as online banking and shopping sites, and even our devices themselves. However, especially if you work in healthcare, poorly crafted passwords can spell disaster. If you use a weak password like “MyPassword2022,” you will open the door for harmful phishing, ransomware, and spyware attacks. These attacks can have devastating consequences. According to IBM’s Cost of a Data Breach Report 2022, the average cost of a healthcare data breach is $10.10 million, more than double the $4.35 million global average across all sectors¹. Now, you may ask, “How can I keep my patients’ health records and other valuable information safe from hackers?”
Enter password complexity. HIPAA (the Health Insurance Portability and Accountability Act) includes the Security Rule, which outlines specifications for “creating, changing, and safeguarding passwords” used in healthcare organizations². In this article, we will outline password complexity best practices to keep your organization HIPAA-compliant and your data secure.
(Image courtesy of https://www.logonbox.com/content/password-manager-in-healthcare/)
One best practice for HIPAA-compliant password management is to apply minimum overall length requirements for overall length, as well as the number of uppercase, numeric, and special characters³. The National Institute for Standards and Technology (NIST) outlines that passwords for HIPAA-covered entities must include at least eight characters, featuring complex and random combinations of letters, numbers, and symbols⁴. Additionally, do not use any words from the dictionary in your password⁴. While longer passwords are more effective, you may opt to use three- or four-word passphrases instead⁴. Try using unrelated words like “chicken-airplane-soldier” or “raccoon-doorknob-spacecraft” in your passphrase for greater security⁴. Any way you slice it, following these standards will make your healthcare organization’s login processes more secure.
Another best practice is to avoid changing your passwords regularly³. While NIST formerly recommended that users change their passwords every 90 days, or about three months, that is no longer the case³. NIST found that instead of completely overhauling their passwords, users often transformed them only slightly, sometimes by a single digit³. For example, users might have transformed their password from “passwordfor2020” to “passwordfor2021” ³. However, this approach is problematic. If hackers have cracked the old password, chances are they will crack the new one sooner rather than later³. Therefore, NIST now recommends that you only change your password when weak or transformed passwords are exposed, when there is evidence of compromised passwords, or when employees leave your organization³.
Still another best practice for HIPAA-compliant password management is to utilize two-factor authentication (2FA), which we outlined in a previous article. As its name suggests, 2FA requires users to enter single-use passcodes along with their username and password when logging into protected accounts³. However, keep in mind that these passcodes are often delivered via SMS text or authenticator app, potentially opening doors for hackers if you receive them on the same devices you use to access protected data³. Nevertheless, selecting the right 2FA solution will help your healthcare organization meet HIPAA standards and keep your passwords secure.
(Image courtesy of https://www.globalsign.com/en/blog/how-make-multi-factor-authentication-simple-and-secure-health-services-industry)
While applying minimum requirements, avoiding frequent password changes, and using 2FA are excellent practices for HIPAA compliance, also remember to check password blacklists³. These lists not only include commonly hacked passwords, but more importantly, those exposed in data breaches³. For example, NordPass notes that the most frequently cracked passwords in the U.S. last year were “123456,” “password,” and “12345” ⁵. Since these simple, predictable passwords are the first ones that hackers will attempt to crack, you must avoid them at all costs³. This demonstrates the importance of effective password management for complying with HIPAA requirements.
If you are a healthcare provider seeking HIPAA-compliant password management solutions, navitend can help. We offer managed IT (Information Technology) services for clients throughout New Jersey, New York, and Pennsylvania, including HIPAA-related security risk assessments and password management software. Once you have decided to install our password management software, we will work with you to ensure that everyone in your organization can securely access passwords by only remembering a single, secure password that only you know. We have the solutions you need to protect your healthcare organization’s login processes 24/7/365.
Navitend can help you. Call 973.448.0070 or setup an appointment today.
Sources:
¹IBM Security. “Cost of a Data Breach Report 2022.” Retrieved from https://www.ibm.com/downloads/cas/XZNDGZKA.
²HIPAA Journal. “The HIPAA Password Requirements and the Best Way to Comply with Them” by Steve Alder. Retrieved from https://www.hipaajournal.com/hipaa-password-requirements/.
³HIPAA Journal. “5 Password Best Practices for HIPAA Covered Entities.” Retrieved from https://www.hipaajournal.com/password-best-practices/#:~:text=%205%20Password%20Best%20Practices%20for%20HIPAA%20Covered,blacklists%20are%20lists%20of%20the%20most...%20More%20.
⁴Bitwarden. “HIPAA Password Requirements Explained” by Andrea Lebron. Retrieved from https://bitwarden.com/blog/hipaa-password-requirements/.
⁵NordPass. “Top 200 most common passwords.” Retrieved from https://nordpass.com/most-common-passwords-list/.
Contact us at 973.448.0070