What is HIPAA Password Compliance and How Healthcare Organizations Can Comply with these Authentication Guidelines.
HIPAA (Health Insurance Portability and Accountability Act) was introduced in 1996 but has become increasingly prominent in recent years due to the rise of data breaches in the industry.
Data breaches have been on the rise across all industries in the past five years, but they are particularly concerning in the healthcare industry where the data is extremely sensitive, the systems protect life, and where the cost of a data breach is astronomically high.
The healthcare industry has an average of 13 exposed databases per company and more exposed remote login services. Healthcare is the most costly industry to have a data breach, with the average cost being nearly $6.5 million, around 60% more than other industries.
Data breaches within the healthcare industry are a major concern for healthcare organizations around the US, however, many organizations are still falling short of the cybersecurity best practices that could protect them from these breaches.
Failure to comply with HIPAA leaves a healthcare organization at risk of a data breach, but it also comes with some hefty fines. To avoid these fines or significant security risks, organizations are encouraged to pay close attention to HIPAA privacy and security standards when making their password policies.
There are three main categories of HIPAA standards under the HIPAA Security Rule, these are administrative, technical, and physical.
Administrative safeguards under HIPAA are described as policies and procedures designed to: “manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” That description is a little wordy but put simply, these standards should guide staff on how to maintain appropriate security of ePHI.
The administrative safeguards are further broken down into categories including Security Incident Procedures, Contingency Plan, Security Management Process, Assign Security Responsibility, and others.
Examples of how to be compliant of the administrative guidelines would be to have regular employee training, and password management policy.
The physical safeguards are described as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Put simply, the organization needs to consider the security of all physical access to ePHI. This means computer systems, networks, portable devices, and data centers.
Examples of how to be compliant with the physical safeguards would be to have facility security plans, access control and validation procedures, and contingency operations.
The technical safeguards are described as “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.” This safeguard is essentially about picking reasonable and appropriate security policies and procedures. The goal is to implement policies and procedures that keep organizations secure, but also cost-effective and reasonable for the organization. For example, a small healthcare provider may not need the same security tools as a much larger organization.
Examples of how to be compliant with the technical safeguards would be to have encryption for data transmission, firewalls, and authentication procedures.
Passwords fall under the Administrative part of the framework, but HIPAA’s recommendations for passwords are somewhat vague. This means that some organizations may mistakenly think they are HIPAA password compliant, when in fact they are not.
It can also make it difficult for organizations to form policies based on the HIPAA framework. This is why many healthcare organizations have taken to following other popular cybersecurity frameworks that are considered to meet HIPAA password compliance, such as NIST and HITRUST.
According to a 2018 cybersecurity study, the NIST framework is the most popular in the healthcare industry, with 57.9% of organizations using it. HITRUST was the second most commonly used framework at 26.4%, and Critical Security Controls was slightly behind HITRUST at 24.7%. Concerningly, 16.9% of healthcare organizations said: “No security framework has been implemented at my organization.”
Since most healthcare organizations are following the NIST framework, we’re going to focus on how to be NIST compliant in this section. This section isn’t exhaustive, but rather a high-level overview of how the framework can function for healthcare organizations.
According to data from ClearWater CyberIntelligence Institute, the most common cyber risks facing health systems are user authentication deficiencies, endpoint leakage, and excessive user permissions.
Authentication deficiencies topped the list as the most critical concern, with issues around generic password use, the writing down of passwords around the workspace, and unencrypted emailing of credentials being serious issues.
Let’s take a look at what some of the NIST password guidelines recommend for authentication since HIPAA password compliance is rather vague.
Poor password hygiene has been identified as a significant factor in the rise of cyber attacks targeting hospitals. Let’s take a look at what NIST recommends for passwords.
While HIPAA is vague when it comes to password security, NIST and HITRUST can provide good foundations for password security and authentication.
To learn more about how hospitals and healthcare providers can automate password security policies in Active Directory, please visit here.