HIPAA risk assessments, though often tedious, are a critical part of ensuring HIPAA compliance. The Security Rule, created in 2003 to ensure that electronic health data is only accessed by authorized personnel, was the first part of HIPAA that required such risk assessments.
Password Requirements
The Security Awareness and Training section of the Security Rule stipulates that CEs must have “procedures for creating, changing and safeguarding passwords”. However, this can be confusing, as even experts disagree the best password policies. It is accepted that secure passwords should have a mixture of upper- and lower-case characters, special characters and numbers. The disagreement instead lies in how frequently passwords should be changed, if at all.
Some claim that the best way to ensure HIPAA compliance is by changing a password at least every ninety days. Others argue that this is a waste, as if a breach were to occur a hacker could easily crack a password in a matter of minutes. Additionally, regularly changing passwords means they will likely be forgotten. Not only does this waste time, but it increases the likelihood that the password will be written down.
Experts do agree that password management tools are the best way to safeguard passwords whilst also being HIPAA-compliant. The passwords are saved in an encrypted format, so that even if the software is hacked, the passwords will not be able to be read by the hackers.
“Addressable Safeguards” and Alternatives
Confusingly, HIPAA regards passwords as “addressable” safeguards. This does not mean that they can be ignored or overlooked; it simply means that should the CE believe that an alternative method of protecting their data be more appropriate, they are free to use that method instead. Specifically, CEs can “implement one or more alternative security measures to accomplish the same purpose.”
The only requirement with regards to passwords is that CEs “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. If CEs can prove that an alternative measure to passwords provides equal – or better – protection, they can implement these measures. The decision to do so, as well as the measure itself, must be carefully documented and the document retained for a minimum of six years.
Two-factor authentication is quickly rising in popularity as a means to supplement passwords. When a person inputs their username and password, they will be sent a specifically-generated PIN number. This number is required to allow full access to accounts protected by passwords and 2FA. A new PIN is created for each log-on attempt, so even if a password is cracked by a cybercriminal they should not be able to access the database.
Due to this extra level of security, many healthcare providers have already implemented two-factor authentication. However, it is not often used in the context of protecting PHI. Instead, it is used to comply with the Payment Card Industry Data Security Standard (PCI DSS) or the DEA´s Electronic Prescription for Controlled Substances Rules. Thus, its main use is in protecting credit card details.
It may appear that having to wait for a PIN number to be generated and sent to the recipient will slow workflows, but new technologies limit this disadvantage. Single Sign-Ons have been created for various healthcare technologies. Additionally, the PIN system means that passwords have to be changed less frequently – if at all.