HIPAA regulations require healthcare entities to enact procedures for creating, changing, and safeguarding passwords, but they don’t specify the details or the required complexity of the passwords. The HHS Office for Civil Rights (OCR) looks to the National Institute of Standards and Technology (NIST) for guidance, so risk managers also should, one expert suggests.

Traditionally, NIST recommends passwords be complex in that they require a minimum of eight characters, a mix of upper- and lower-case characters, contain numbers, and include symbols, says Jeannie O’Donnell, CIA, CISA, CPC, CHC, senior consultant for advisory services with Change Healthcare in Nashville, TN.

They recommend prohibiting password reuse for a set number of times and include the minimum number of characters that must be changed. They also recommend that a temporary password be changed on its first use, and enforcing password expiration. Currently, NIST recommends not enforcing password expiration unless it is necessary, she says.

“Examples are when a password is lost or forgotten, when a phishing attack has occurred, or when a password database has been compromised,” O’Donnell says. “Requiring the frequent change of passwords can lead to the user creating a pattern that can be guessed.”

Updated NIST Guidelines

NIST has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data, O’Donnell explains.

NIST states that “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The guidelines are not specific to the healthcare industry, O’Donnell notes, although the recommendations can be adopted by healthcare organizations to improve password security.

In the security industry, the latest recommendations on password creation include using passphrases, O’Donnell says. A passphrase is a sentence or phrase, with or without spaces, typically more than 20 characters long. The words making up the passphrases should be meaningless together to make them less susceptible to social engineering.

“Another recommendation is to block dictionary words because a common problem with complex passwords is the ease of guessing them. Hackers have tested for commonly used passwords such as Winter2017, often used as a temporary password, and Steelers2017, at the beginning of football season,” she says.

No matter how strong the intention to keep systems secure, administrators may be limited by the password parameters allowed by their applications.

“I recommend a single-sign application to allow for enforcement of the desired password complexity and parameters. The single sign-on can also include multifactor authentication, a method of access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism,” O’Donnell says.

Periodic Training Required

That evidence typically is at least two of the following categories: knowledge (something they know, such as a PIN); possession (something they have, like a token), and inherence (something they have, such as a fingerprint).

“Security is only as good as the users of the system, so periodic training is recommended to ensure users understand their security obligations and the importance of reporting suspected account compromises,” she says. “In the healthcare industry, I’ve seen applications with two-character passwords where the providers used their initials. I’ve also seen passwords that were 12 characters long with a combination of letters, numbers, and symbols where the users had no choice but to write them down, but unfortunately left them visible in an unsecure location.”

In encountering resistance to strong passwords, remind users that the cost of a breach, monetarily and in reputation, will far exceed the cost of compliance, she advises.


• Jeannie O’Donnell, CIA, CISA, CPC, CHC, Senior Consultant for Advisory Services, Change Healthcare, Nashville, TN. Phone: (888) 363-3361.