Does HIPAA / HITECH Require Strong Passwords? No, But It’s Expected.

If you’re working for (or with) a HIPAA covered-entity, you probably know by now that the HITECH Act, which amended parts of HIPAA, includes a patient data breach notification rule.  You may also know that the use of data encryption software like AlertBoot provides safe harbor from said rule, although encryption software is not explicitly required by HIPAA or HITECH, or even the HHS, which is charged with enforcing the rules.

In fact, anyone who tells you that HIPAA or HITECH requires encryption is speaking from a practical standpoint, not from a legal one.

What About Strong Passwords?

This “incentive” to use encryption (and not just any encryption, but strong encryption) brings up additional questions: are you required to use strong passwords?  Just like with encryption, the answer is no, there is no such requirement.  Or at least, I can’t find one anywhere; however, it stands to reason that if you’re not required to use encryption, then there probably isn’t a requirement on passwords either.

The use of strong passwords, though, is expected (and recommended.  If you’re going to do something, you should do it right).  In fact, HIPAA documents keep referring to strong encryption as a “best practice.”  In one HHS document I found, it’s noted that “the use of a strong password to protect access to the device or file would be an appropriate and expected risk management strategy.”

What is a Strong Password?

You can find many claims on-line that the following are components of a strong password:

  • Be over 8 characters long.

  • Use a combination of upper and lower case letters.

  • Include at least one numeric and/or special character (& or ? or @, etc).

It’s also recommended that a dictionary word is not included in the password itself, which I disagree on, personally: the key is not to not have a dictionary word, but to not only have a dictionary word.  For example, “19snwNNapple*93” is no less secure than “!2n1kSSaow#” just because the word “apple” happens to be in it.  This contrasts with “apple” or even “apple93” which cannot be considered a secure password.

I’d use the above three requirements to construct a password, with one exception: I’d substitute the 8-character requirement with a 12-character password requirement.

Of course, it goes without saying that this is to be used with cryptographic solutions like laptop encryption.  If you’re using a password-protection software only, it won’t matter how long or strong the password happens to be.

Related Articles and Sites:

Comments (0)

Let us know what you think