NIST Provides Guidance on HIPAA Passwords


HIPAA regulations works all and through to ensure that all the procedures, measures and guidelines are well formed and met to ensure that the healthcare entities create, change and safeguard passwords. 

The HHS Office for Civil Rights (OCR) looks to the National Institute of Standards and Technology (NIST) for guidance.   NIST suggests that passwords should be difficult for anyone to decode. It suggests that a password should be of eight characters, a mix of upper- and lower-case characters, contain numbers, and include symbols, says Jeannie O’Donnell, CIA, CISA, CPC, CHC, senior consultant for advisory services with Change Healthcare in Nashville, TN.

Also what is suggested is reusing of the password for a set number of times. Another important recommendation is that the temporary password should be changed right on its first.  

“Examples are when a password is lost or forgotten, when a phishing attack has occurred, or when a password database has been compromised,” O’Donnell says. “Requiring the frequent change of passwords can lead to the user creating a pattern that can be guessed.”

The creation and storage of passwords plays an important role in NIST. Authentic sources or authorized individuals can have access to the resources, which deals with precarious information.  

NIST states “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”  The guidelines do not restrict themselves only to the health industry. However, the organizations can adopt the guidelines and tighten their password security networks.

Passphrase is the new addition in the password security guidelines. It is a sentence or a phrase, without any space, usually 20 words long. The words that constitute the passphrase should be senseless so that they are least common and susceptible.  

“Another recommendation is to block dictionary words because a common problem with complex passwords is the ease of guessing them. Hackers have tested for commonly used passwords such as Winter2017, often used as a temporary password, and Steelers2017, at the beginning of football season,” she says.

“I recommend a single-sign application to allow for enforcement of the desired password complexity and parameters. The single sign-on can also include multifactor authentication, a method of access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism,” O’Donnell says.

Leave a Reply

Your email address will not be published. Required fields are marked *