In the Administrative Safeguards of the HIPAA Security Rule, under Security Awareness and Training Standards there are four implementation specifications, two of which are log-in monitoring and password management.
Log-in monitoring states the Covered Entity must:
“Implement procedures for monitoring log-in attempts and reporting discrepancies.”
Where a system or application does not have a set rule for log-in attempts, hackers (or a user not associated with this system) can use brute force and continue over and over again with attempted logins into systems or applications containing ePHI until successful.
Password management should be used where this implementation is an appropriate safeguard for securing ePHI:
“Procedures for creating, changing, and safeguarding passwords.”
It is not enough to have all users sign into operating systems and applications containing ePHI with a unique user ID and password. Add the following to your log-in and password policies:
- Complex password that is more than 8 characters long and uses special characters and numbers; preferably a passphrase.
- Account lockout after 3-4 failed log-in attempts.
- Force password change after 60-90 days. There is much controversy over this and whether it is a good idea to change passwords. We do know the longer the password, the better. If you require a 15+ character password it may not be as necessary to change passwords frequently.
- Restriction on re-using the last several passwords – after all, what’s the point of changing passwords if there is no restriction on password re-use?
- Auto-locking of systems and applications containing ePHI after 10-15 minutes of inactivity.
All users must be educated in password management and security. You can put all the security measures in place but if your users/workforce are careless with the security of their passwords you are liable to have a security incident, or worse a breach.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). ANATOMY_IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.