Skip to main content

What is HIPAA Password Compliance and How Healthcare Organizations Can Comply with these Authentication Guidelines.

HIPAA (Health Insurance Portability and Accountability Act) was introduced in 1996 but has become increasingly prominent in recent years due to the rise of data breaches in the industry.

Data breaches have been on the rise across all industries in the past five years, but they are particularly concerning in the healthcare industry where the data is extremely sensitive, the systems protect life, and where the cost of a data breach is astronomically high.

The healthcare industry has an average of 13 exposed databases per company and more exposed remote login services. Healthcare is the most costly industry to have a data breach, with the average cost being nearly $6.5 million, around 60% more than other industries.

Data breaches within the healthcare industry are a major concern for healthcare organizations around the US, however, many organizations are still falling short of the cybersecurity best practices that could protect them from these breaches.

What are HIPAA Password Requirements & How To Comply

Failure to comply with HIPAA leaves a healthcare organization at risk of a data breach, but it also comes with some hefty fines. To avoid these fines or significant security risks, organizations are encouraged to pay close attention to HIPAA privacy and security standards when making their password policies.

There are three main categories of HIPAA standards under the HIPAA Security Rule, these are administrative, technical, and physical.


Administrative safeguards under HIPAA are described as policies and procedures designed to: “manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” That description is a little wordy but put simply, these standards should guide staff on how to maintain appropriate security of ePHI.

The administrative safeguards are further broken down into categories including Security Incident Procedures, Contingency Plan, Security Management Process, Assign Security Responsibility, and others.

Examples of how to be compliant with the administrative guidelines would be to have regular employee training and password management policy.


The physical safeguards are described as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Put simply, the organization needs to consider the security of all physical access to ePHI. This means computer systems, networks, portable devices, and data centers.

Examples of how to be compliant with the physical safeguards would be to have facility security plans, access control and validation procedures, and contingency operations.


The technical safeguards are described as “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.” This safeguard is essentially about picking reasonable and appropriate security policies and procedures. The goal is to implement policies and procedures that keep organizations secure, but also cost-effective and reasonable for the organization. For example, a small healthcare provider may not need the same security tools as a much larger organization.

Examples of how to be compliant with the technical safeguards would be to have encryption for data transmission, firewalls, and authentication procedures.

HIPAA Password Compliance Defers to Cyber Frameworks

Passwords fall under the Administrative part of the framework, but HIPAA’s recommendations for passwords are somewhat vague. This means that some organizations may mistakenly think they are HIPAA password compliant, when in fact they are not.

It can also make it difficult for organizations to form policies based on the HIPAA framework. This is why many healthcare organizations have taken to following other popular cybersecurity frameworks that are considered to meet HIPAA password compliance, such as NIST and HITRUST.

The NIST Framework Is The Most Popular

According to a 2018 cybersecurity study, the NIST framework is the most popular in the healthcare industry, with 57.9% of organizations using it. HITRUST was the second most commonly used framework at 26.4%, and Critical Security Controls was slightly behind HITRUST at 24.7%. Concerningly, 16.9% of healthcare organizations said: “No security framework has been implemented at my organization.”

Since most healthcare organizations are following the NIST framework, we’re going to focus on how to be NIST compliant in this section. This section isn’t exhaustive, but rather a high-level overview of how the framework can function for healthcare organizations.


According to data from ClearWater CyberIntelligence Institute, the most common cyber risks facing health systems are user authentication deficiencies, endpoint leakage, and excessive user permissions.

Authentication deficiencies topped the list as the most critical concern, with issues around generic password use, the writing down of passwords around the workspace, and unencrypted emailing of credentials being serious issues.

Let’s take a look at what some of the NIST password guidelines recommend for authentication since HIPAA password compliance is rather vague.

  • Factors for NIST password standards: NIST 800-63b outlines that 3 factors should be utilized for user authentication. These factors are:
    • Something you know (a password)
    • Something you have (an ID, token, or key).
    • Something you are (your fingerprint, face, voice, iris)
  • MFA Limitations: No SMS 2FA: While MFA, including 2-Factor-Authentication (2FA), is recommended, NIST no longer recommends the use of SMS for 2FA. This is due to inherent vulnerabilities with SMS that make it inappropriate for increasing security. Many healthcare organizations have historically been resistant to MFA due to concerns that it will cause more friction for users. There’s a real need for clinicians to be able to smoothly and frictionlessly access patient records promptly, and many people worry that MFA hinders this.
  • Axe the password hints: Password hints are helpful for users, but they’re also helpful for hackers so their use is no longer recommended.


Poor password hygiene has been identified as a significant factor in the rise of cyber attacks targeting hospitals. Let’s take a look at what NIST recommends for passwords.

  • No password expirations (without reason). NIST has scrapped the recommendation for forced password resets. It’s now believed that forced password resets do not improve security because:
    • Forced Password resets encourage users to only make slight variations to their passwords. They use similar passwords, rendering the policy essentially useless and making password security weak.
    • Users who do create unique and complex passwords at each reset are more likely to write their password down and risk it being exposed.
    • If a password is stolen, the hacker would have a window of time before the password resets to use it and gain unauthorized access to an account. This restriction made sense in the past, but today we have more powerful and appropriate methods of ensuring stolen passwords cannot be used, such as exposed password screening.
  • Passwords should be a minimum of 8 characters and a maximum of 64 characters. Many healthcare organizations are choosing to make it a minimum of 12 characters and encourage the use of 4-word passphrases because the longer a password is, the harder it is to crack.
  • There is no longer a requirement for special characters in passwords. It was felt that some complexity requirements encourage users to write their passwords down, which is much less secure than simply not using a special character.
  • Scan for common passwords or expected passwords. Hackers will often use pre-populated lists consisting of dictionary words and commonly used passwords such as Password123, Chocolate1, etc, to conduct attacks.
  • Screen for compromised or exposed passwords. We can screen for passwords that have been compromised and are now known by hackers. The password may have been compromised due to a previous data breach. For many hospitals, compromised credential scanning in Active Directory will opt for this solution over MFA because it guarantees a high level of security and significantly reduces friction which is of critical importance in life or death scenarios.

While HIPAA is vague when it comes to password security, NIST and HITRUST can provide good foundations for password security and authentication.

To learn more about how hospitals and healthcare providers can automate password security policies in Active Directory, please visit here.