Our recommended healthcare password policies that complement and support HITRUST.
Since its founding in 2007, HITRUST (Health Information Trust Alliance) champions programs that safeguard sensitive information and manage information risk for global organizations across all industries. HITRUST works with privacy, information security, and risk management leaders from the public and private sectors, to develop common risk and compliance management frameworks, assessment and assurance methodologies.
The HITRUST Common Security Framework (CSF) issues guidelines on security standards for the healthcare industry. This framework consolidates HIPAA, ISO, NIST, PCI-DSS, COBIT, GDPR, some state requirements, and many other regulations into a structure that aids organizations in compliance.
The HITRUST CSF standards are the basis for a sound password policy. While organizations can interpret HIPPA password policies in different ways, HITRUST’s specific recommendations are more specific so compliance is more straightforward. As a result, HITRUST CSF is a better option for healthcare organizations.
1) Schedule a regular password reset for privileged accounts.
Passwords for privileged accounts must reset every 60 days to ensure that if they are exposed, there is a limited attack window.
2) Force a password reset for user accounts.
HITRUST CSF outlines that passwords should expire every 90 days. There is much debate about this guideline right now because Microsoft and NIST now recommend against the forced periodic or quarterly password reset. Organizations can eliminate this practice by adopting compromised credential screening or, at a minimum, scanning passwords for exposure. But since it is mandatory in HITRUST, most hospitals and healthcare organizations are still supporting it.
3) Password files should be stored separately from application system data.
Keeping these systems separate reduces risk.
4) Implement encrypted and hashed password storage and transmission.
Plaintext storage or transmission is a severe vulnerability. Healthcare organizations need to keep their data secure with strong hashing algorithms and should not use third parties that store data in plaintext, or third parties crack passwords.
5) Make sure users select strong passwords that are not vulnerable to any dictionary attack.
Most people don’t know if they are using a compromised password, a common password, an expected password, or a password that is in cracking dictionaries. Some people call this password blacklisting.
6) Ensure passwords are significantly different from the last one and prohibit too many consecutive identical characters.
Healthcare organizations should necessitate a minimum of 4 characters that are changed from the old password to a new password, and they should prevent the use of too many consecutive identical characters.
7) Prevent the reuse of the user’s last four passwords.
Healthcare password policy should include retaining records of previous user passwords securely, such as BCrypt hashing.
The variation between HIPAA, ISO, NIST, PCI-DSS, COBIT, GDPR, and other regulations is very complicated. The HITRUST Common Security Framework helps simplify compliance around password policy. Some tools, like Enzoic for Active Directory, can help automate this password policy.
Enzoic for Active Directory can work with existing password policies but can strengthen your password policies because it screens for commonly used passwords, passwords in cracking dictionaries, and compromised passwords. It also offers continuous password monitoring to ensure that a safe password today is not used when it is exposed tomorrow. With the monitoring and remediation fully automated, it saves IT time while increasing password security.
Read more about HIPPA and HITRUST Password Requirements: