Password security for electronic protected health information (ePHI) is a fundamental part of any HIPAA compliance program, but there is no one right way. HIPAA allows a great deal of choice in how to secure data with passwords, but one must choose carefully to ensure the information is protected from both casual snooping and sophisticated hacking.
HIPAA password management requirements are quite open-ended, only specifying that one must institute “procedures for creating, changing, and safeguarding passwords,” notes Gary Nelson, healthcare practice leader with Schellman & Company, a security and privacy compliance assessor based in Tampa, FL.
To properly determine sufficiency for password protection, organizations should perform risk assessments for the systems or services that use or house ePHI, Nelson says. While HIPAA itself does not specify minimally defined requirements, the risk assessment could be paired with password or authentication requirements from standards such as NIST, PCI, or HITRUST to help address the HIPAA safeguard and also define what would serve as optimal for the organization.
The idea of what makes a good password is shifting, says Kenneth K. Dort, JD, partner with the law firm of Drinker Biddle in Chicago. Security experts used to promote the idea of a long string of random letters, numbers, and symbols, with the password changed every 60 or 90 days. Now, it is more common to use a sentence the user can memorize and take the first letter of each word as the password, perhaps throwing in one or two numbers, too.
“The reason is that through that method you actually come up with a password that is more random and harder for someone to break than if you just select a few letters and numbers that don’t mean anything to you,” Dort says. “A supercomputer can break any password, but most people trying to get into your system are going to take a try and move on if they can’t get it quickly. The method of using a sentence gives you a more secure password, and one that the user can remember without writing it on a note taped to the desk.”
Different Security Options
There are technical and non-technical options, says John Hellickson, managing director of strategy and governance at Kudelski Security, headquartered in Phoenix. The technical solutions range from single sign on and privileged access management to password management tools.
“I believe this really comes down to usability by the persons impacted by the requirement, which goes beyond just technology. With the goal of managing access to PHI, it is key for an organization to understand the requirements of the business and its users, in addition to the technical security requirements, and balancing that with the organization’s risk appetite prior to investing in any solutions.”
Many organizations have enacted strict password policies, from forcing password changes on all users between 30-90 days to enforcing specific complexity requirements that make it difficult to remember. However, Hellickson says that can ultimately increase the risk that the users will engage in practices that undermine the goal of protecting access to PHI.
“What I’ve seen work well is encouraging users to come up with a password scheme that meets complexity requirements where they change three or more characters to make it unique for each place they log into, allowing them to easily remember and maintain good password hygiene,” Hellickson offers. “This, combined with single sign-on and a simple-to-use multifactor authentication solution, is a good way for the security organization to relax requirements on forcing password changes on such a short schedule, such as anything less than a year.”
Although more complex and costly, implementing a single sign-on solution can help reduce the burden on the end user and reduce the need to remember multiple passwords in an organization, he says. These projects usually require a lot of coordination and time to implement, Hellickson says, but the more systems and associated access that can be integrated into a single sign-on solution, the less chance the end users will fall to poor password practices.
“Knowing traditional password policies aren’t working, with the more complex and rigid policies having the opposite effect on protecting those passwords, single sign-on and multifactor technologies have come a long way and provide a better user experience while also mitigating some of the issues from relying on passwords alone,” Hellickson notes.
Dual Authentication Adds Security
Two-factor authentication, also known as dual authentication, is one of the best ways to greatly enhance the access control to sensitive data, Hellickson says. With two-factor authentication, users performing a sensitive function, such as accessing PHI, enter a username and password, and then receive an authorization request on a mobile device that they tap to approve. This provides users access with minimal effort.
Two-factor authentication would be considered an alternative security measure to the HIPAA password requirement, helping accomplish the same purpose but with enhanced security, Hellickson explains. Dort also supports using two-factor authentication, saying it allows the user to use a simple password to get into the system and then a more complex one that is sent to user’s phone and is valid only for a short time.
“That means that even if someone gets into your system with a user’s password, they still can’t access PHI unless they also have that person’s phone, which is very unlikely,” Dort says. “Most places require you to have your phone password-protected as well if you use it at work, so you have that additional layer of security also.”
Two-factor authentication is not explicitly stated as necessary to address HIPAA safeguards, Nelson notes.
“However, organizations should definitely consider two-factor authentication for systems that contain ePHI due to the inherent risks associated with inappropriate access to data or medical records that contain ePHI,” he says. “If an organization is considering the pursuit of HITRUST to address HIPAA compliance, then two-factor authentication may become necessary as a HITRUST requirement.”
State University of New York Downstate Medical Center in Brooklyn is considering two-factor authentication, says David W. Loewy, PhD, chief information security officer with the hospital. The change would address the human tendencies that can foil a simple password system, he says.
“I can go through the hospital and out of a thousand work stations, 10% of them have the password pasted to the bottom of the keyboard,” Loewy explains. “Unfortunately, the healthcare community has not taught practitioners the importance of keeping passwords secure and the value of that kind of data on the dark web. We try to impress this on them, but still, people are lazy and don’t understand why this is so important.” Loewy notes that the most flagrant violators of password security rules are hospital candy stripers and similar volunteers.
Healthcare organizations should create a vigorous cybersecurity awareness program, Loewy says. His hospital recently developed a program that includes a logo with a fist punching through a screen and the words “You are a target!”
“People put that on their monitors to remind them that they are targets to the bad guys and that is why we’re so concerned about passwords,” Loewy says. “You need to be in front of people all the time reminding them.”
A robust password policy is necessary, but Loewy cautions against writing the policy and procedures as one document. It is better to maintain a policy that requires passwords but separate procedures for how to use and protect them. That way, the procedures can be updated to conform to evolving technology and trends without the need to revise the policy behind them, he says.
A common mistake by organizations is simply not assessing the true or accurate level of risk associated with systems that house ePHI, Nelson says. Based on what it defines as the risk level associated with accessing ePHI, the organization may find that it has either created insufficient password access or parameters to protect their data or, to a lesser degree, that it has implemented excessive layers of authentication and password parameters that create unnecessary costs for the organization, he says.
Whatever strategies are employed, they must be tailored to the organization’s particular needs, Hellickson adds. “Moving forward with an access control program that doesn’t consider the business and how end users conduct their duties is a recipe for disaster,” Hellickson warns. “The key to success is to engage the business stakeholders early, and make them part of the initiative to identify and select the set of policies, processes, and technologies to comply with this requirement.”
• Kenneth K. Dort, JD, Partner, Drinker Biddle, Chicago. Phone: (312) 569-1458. Email: firstname.lastname@example.org.
• John Hellickson, Managing Director, Strategy & Governance, Kudelski Security, Phoenix. Phone: (623) 235-2500.
• David W. Loewy, PhD, Chief Information Security Officer, State University of New York Downstate Medical Center, Brooklyn, NY. Phone: (718) 613-8593. Email: email@example.com.
• Gary Nelson, Healthcare Practice Leader, Schellman & Company, Tampa, FL. Phone: (866) 254-0000.