HIPAA Password Requirements & How To Comply With Them | Reciprocity

Written by
Published 05/22/2018
Understanding the HiTrust Certification Process

The Health Insurance Portability and Accountability Act (HIPAA) consists of the Security Rule and Privacy Rule which govern the protection of Protected Health Information (PHI) and electronic Protected Health Information (ePHI). The 2009 HITECH Act created for violation categories related to varying degrees of penalties, overseen by the Office for Civil Rights (OCR). The increased value of ePHI records on the Dark Web and rates of data breaches in the healthcare industry reinforce the importance of passwords as administrative and technical safeguards for protecting patient information.

HIPAA & Passwords

How are passwords related to HIPAA compliance?

HIPAA requires appropriate authentication methods for ePHI access. Additionally, it requires ongoing management of that access. However, HIPAA does not incorporate prescriptive measures for authentication methodologies or password complexity. Despite the regulation’s silence, organizations seeking HIPAA password compliance have resources.

The OCR traditionally defers to the National Institute of Standards and Technology (NIST) for technical guidance which offers the first step to understanding password requirements. Moreover, in 2007, a group of healthcare leaders, organizations, and interested parties founded the HITRUST Alliance which established a cybersecurity framework focused on risks specific to the healthcare industry. Combining insights from both the NIST Cybersecurity Framework (NIST CSF) and HITRUST Cybersecurity Framework (HITRUST CSF) help provide direction for healthcare organizations.

What are the NIST password management suggestions?

In June 2017, NIST released Special Publication 800-63B. The publication provides technical recommendations for choosing authenticators and authentication processes to be used at different Authenticator Assurance Levels (AALs). Despite not being prescriptive, the suggestions set forth establish regulatory acceptability levels.

A summary review of the ALLs notes that the provide increasing levels of assurance over an organization’s authentication choices. For example, an AAL1 requires linking single-factor or multifactor authentication to a specific individual. AAL2 includes proof of possession and control of two different authentication protocols as well as approved cryptographic techniques. AAL3, the highest level of assurance, requires a hardware-based authenticator as well as one that is resistant to impersonation, although one device may meet both of these.

Overall, AAL1 requires the minimum security requirements while AAL3 requires the highest level. For example, to achieve a basic level of authentication strength, organizations need to use any of the following:

Memorized Secret
Look-Up Secret
Out-of-Band Devices
Single-Factor One-Time Password (OTP) Device
Multi-Factor OTP Device
Single-Factor Cryptographic Software
Single-Factor Cryptographic Device
Multi-Factor Cryptographic Software
Multi-Factor Cryptographic Device

AAL3 authentication requires a combination of authenticators from the following list:

Multi-Factor Cryptographic Device
Single-Factor Cryptographic Device used in conjunction with Memorized Secret
Multi-Factor OTP device (software or hardware) used in conjunction with a Single-Factor         Cryptographic Device
Multi-Factor OTP device (hardware only) used in conjunction with a Single-Factor                      Cryptographic Software
Single-Factor OTP device (hardware only) used in conjunction with a Multi-Factor                       Cryptographic Software Authenticator
Single-Factor OTP device (hardware only) used in conjunction with a Single-Factor                      Cryptographic Software Authenticator and a Memorized Secret

As evidenced by the lists, the different AALs require very different complexity levels. Thus, not every password management requirement matches to every organization.

What are the HITRUST password management suggestions?

The HITRUST Alliance released v.9 of the CSF after the release of the NIST Special Publication, establishing 19 controls to align with SP800-63B. Many covered entities choose to comply with the HITRUST CSF since it incorporated ISO 27000, COBIT, HIPAA, NIST, PCI DSS, FTC Red Flags, HITECH Act, and several other standards, including state requirements.

The HITRUST CSF provides sector-specific controls targeting different healthcare provider needs. For example, physicians can use tokens, smartcards, or biometrics as authentication methods instead of, not in addition to, passwords. Tapping a smartcard rather than typing in a password intends to speed the authentication process allowing the physician to more rapidly provide care.

What are the HITRUST password complexity suggestions?

HITRUST allows organizations to choose a level of compliance. When reviewing the password management requirements, the different compliance requirements between the levels give insight into how HITRUST allocates responsibility based on risk.

A Level 1 organization must require passwords that
are not displayed when entered, are changed in the event of a possible system or password compromise, and allow user identity verification before performing password resets.

Level 2 organizations must incorporate all of the Level 1 requirements and also include several additional protections. The passwords must be protected from unauthorized disclosure and modification when stored and transmitted, cannot be included in any automated log-on process (e.g., stored in a macro or function key), and must be encrypted during transmission and storage on all system components. Additionally, organizations must create temporary passwords that are unique to an individual and not guessable.
Finally, Level 2 organizations must require users to sign a statement attesting to the confidentiality of personal passwords and group passwords.

HITRUST’s standard and framework aggregation incorporates several suggestions for creating a strong password. Password complexity aligns with CMS implementation, FEDRAMP, HIX, and PCI DSS. For users, FEDRAMP requires a minimum 12 character password length while HIX has a shorter requirement of 8 characters. The CMS, FEDRAMP, and HIX implementations all require a password to include one capital letter, one lowercase letter, one number, and one special character.

Organizations seeking to be HIPAA compliance should create a password policy clearly defining a strong user password and engage in security awareness training for all employees.

How ZenGRC Enables HIPAA Compliance

ZenGRC eases the compliance burden by providing organizations seed content for mapping their controls across a variety of standards and frameworks. This speeds the onboarding process and also enables gap analysis.

Healthcare providers can choose from HITRUST, COBIT, COSO, ISO, PCI DSS, and NIST frameworks to ensure proper IT HIPAA compliance. Moreover, business partners seeking to become HIPAA compliant as they scale can quickly view their current compliance using our gap analysis tool and determine how much additional work they need to do.

For more information about using ZenGRC to ease the HIPAA compliance burden and to speed the process of scalability, schedule a demo.