How to Make Your Passwords HIPAA Compliant
HIPAA regulation is intentionally vague in certain respects in order to allow flexibility for organizations of different sizes and means. The rule of thumb is that organizations must demonstrate their “good faith effort” to follow the regulation using a “commercially reasonable best effort.” Because HIPAA applies equally to single-doctor practices and enterprise hospital systems alike, organizational needs will change depending on the scope of appropriate security and privacy measures.
Yet there are still some best practices that organizations of any size can keep in mind while trying to adhere to HIPAA password requirements. Even though HIPAA does not list specifics that your organization can have in place to ensure your passwords are secure, there are federal regulatory bodies that do release password guidance. One such organization is called NIST (National Institute of Standards and Technology). NIST releases security guidance on an ongoing basis that highlights industry best practices for organizations of all kind. NIST also routinely issues new guidance on password creation, making the NIST password policy template useful to keep your data safe.
Below, we discuss a few of the measures you can put in place to keep passwords coherent with NIST and HIPAA requirements.
- Use a minimum of 8 characters: NIST also says that passwords can be up to 64 characters long if it’s protecting particularly sensitive data.
- Avoid password hints: creating hints such as “my last name” or “my anniversary” can seriously compromise the integrity of your passwords. Avoid these at all cost!
- Create memorable passwords: NIST no longer suggests unnecessarily complicated or obtuse passwords. These can actually lead to weaker passwords in the long run. Your password should be sufficiently unique and memorable so as to avoid the dreaded post-it note on the computer monitor.
- Vet passwords against a list of common/weak options: NIST guidance suggests that passwords should be vetted against a list of common passwords (such as “password,” “123456789,” and so on). This can be executed by an IT or security firm.
Once you’ve addressed your HIPAA password requirements, be sure to get the rest of your HIPAA compliance program in check! HIPAA Privacy and Security standards are absolutely essential to protecting your practice against data breaches and federal fines. Compliancy Group helps ensure that you’re protected using our unique compliance software. Click here to find out more.