Blog


← Back to BLOG

24
Jul
2023
Password Complexity Best Practices for HIPAA Compliance Made Simple

Password Complexity Best Practices for HIPAA Compliance Made Simple

It is a routine we follow every day. We enter usernames and passwords to access a variety of websites and applications, such as online banking and shopping sites, and even our devices themselves. However, especially if you work in healthcare, poorly crafted passwords can spell disaster. If you use a weak password like “MyPassword2022,” you will open the door for harmful phishing, ransomware, and spyware attacks. These attacks can have devastating consequences. According to IBM’s Cost of a Data Breach Report 2022, the average cost of a healthcare data breach is $10.10 million, more than double the $4.35 million global average across all sectors¹. Now, you may ask, “How can I keep my patients’ health records and other valuable information safe from hackers?” 

Enter password complexity. HIPAA (the Health Insurance Portability and Accountability Act) includes the Security Rule, which outlines specifications for “creating, changing, and safeguarding passwords” used in healthcare organizations². In this article, we will outline password complexity best practices to keep your organization HIPAA-compliant and your data secure. 

(Image courtesy of https://www.logonbox.com/content/password-manager-in-healthcare/)  

One best practice for HIPAA-compliant password management is to apply minimum overall length requirements for overall length, as well as the number of uppercase, numeric, and special characters³. The National Institute for Standards and Technology (NIST) outlines that passwords for HIPAA-covered entities must include at least eight characters, featuring complex and random combinations of letters, numbers, and symbols⁴. Additionally, do not use any words from the dictionary in your password⁴. While longer passwords are more effective, you may opt to use three- or four-word passphrases instead⁴. Try using unrelated words like “chicken-airplane-soldier” or “raccoon-doorknob-spacecraft” in your passphrase for greater security⁴. Any way you slice it, following these standards will make your healthcare organization’s login processes more secure. 

Another best practice is to avoid changing your passwords regularly³. While NIST formerly recommended that users change their passwords every 90 days, or about three months, that is no longer the case³. NIST found that instead of completely overhauling their passwords, users often transformed them only slightly, sometimes by a single digit³. For example, users might have transformed their password from “passwordfor2020” to “passwordfor2021” ³. However, this approach is problematic. If hackers have cracked the old password, chances are they will crack the new one sooner rather than later³. Therefore, NIST now recommends that you only change your password when weak or transformed passwords are exposed, when there is evidence of compromised passwords, or when employees leave your organization³. 

Still another best practice for HIPAA-compliant password management is to utilize two-factor authentication (2FA), which we outlined in a previous article. As its name suggests, 2FA requires users to enter single-use passcodes along with their username and password when logging into protected accounts³. However, keep in mind that these passcodes are often delivered via SMS text or authenticator app, potentially opening doors for hackers if you receive them on the same devices you use to access protected data³. Nevertheless, selecting the right 2FA solution will help your healthcare organization meet HIPAA standards and keep your passwords secure. 

(Image courtesy of https://www.globalsign.com/en/blog/how-make-multi-factor-authentication-simple-and-secure-health-services-industry)  

While applying minimum requirements, avoiding frequent password changes, and using 2FA are excellent practices for HIPAA compliance, also remember to check password blacklists³. These lists not only include commonly hacked passwords, but more importantly, those exposed in data breaches³. For example, NordPass notes that the most frequently cracked passwords in the U.S. last year were “123456,” “password,” and “12345” ⁵. Since these simple, predictable passwords are the first ones that hackers will attempt to crack, you must avoid them at all costs³. This demonstrates the importance of effective password management for complying with HIPAA requirements. 

If you are a healthcare provider seeking HIPAA-compliant password management solutions, navitend can help. We offer managed IT (Information Technology) services for clients throughout New Jersey, New York, and Pennsylvania, including HIPAA-related security risk assessments and password management software. Once you have decided to install our password management software, we will work with you to ensure that everyone in your organization can securely access passwords by only remembering a single, secure password that only you know. We have the solutions you need to protect your healthcare organization’s login processes 24/7/365.  

Navitend can help you. Call 973.448.0070 or setup an appointment today. 

Sources: 

¹IBM Security. “Cost of a Data Breach Report 2022.” Retrieved from https://www.ibm.com/downloads/cas/XZNDGZKA. 

²HIPAA Journal. “The HIPAA Password Requirements and the Best Way to Comply with Them” by Steve Alder. Retrieved from https://www.hipaajournal.com/hipaa-password-requirements/. 

³HIPAA Journal. “5 Password Best Practices for HIPAA Covered Entities.” Retrieved from https://www.hipaajournal.com/password-best-practices/#:~:text=%205%20Password%20Best%20Practices%20for%20HIPAA%20Covered,blacklists%20are%20lists%20of%20the%20most...%20More%20. 

⁴Bitwarden. “HIPAA Password Requirements Explained” by Andrea Lebron. Retrieved from https://bitwarden.com/blog/hipaa-password-requirements/. 

⁵NordPass. “Top 200 most common passwords.” Retrieved from https://nordpass.com/most-common-passwords-list/.  

Contact us at 973.448.0070

Testimonials

  • "navitend has been a great IT partner for our company.  Their helpdesk response time is the best I have experienced in my 30 year career.  navitend has helped me to have great IT services without the need to have a full time, in house, technician at significant savings to our company."

    Bob Bradley, President, Bradley Graphics
  • "I look forward to working with you again in the future. Once again, thanks to your organization for your prompt response."

    Luke Wolters / Luke Wolters Tax Consultants
  • "Our company is more efficient and has grown as a result of navitend’s work. navitend helped us get to the next level."

    Greg Niccolai / Madison Insurance
  • "We've dedicated our lives to growing our retail and ecommerce business and it's a relief to have found a company like navitend who treats our business likes it's their own. navitend's personal approach to project management and problem solving are top-notch."

    Stamatis, Co-owner Twisted Lily, Fragrance Boutique and Apothecary
  • "I appreciate that they didn’t just build the application. They made it better by bringing ideas to the table that not only made for a better user experience, but also kept the development costs down."

    Andy Lynch / North Star Marketing
  • “Navitend’s expertise helped our firm over the past year to effectively elevate our I.T. game, powering our website into a highly interactive tool. Well done to Frank and his team!”  

    Chuck Steege, CFP®, CEP, President, SFG Wealth Planning Services, Inc.
  • "Thanks so much!  You are a class act!  
    You and your team have really done an excellent job on this!"

    Steve Van Ooteghem, The C12 Group in Houston, Texas
  • "Thanks so much again for taking care of everything in such an expedient manner. It's a pleasure to work with navitend and its staff as always!"

    Lawrence Wolfin / Textol Systems, Inc.
  • navitend’s approach to customer service is greatly appreciated here.  Ensuring that we are well protected from a technology standpoint provides us with peace of mind to continue our day to day operations and that they are looking out for our company's best interest. 

    Debbie