Guide to HIPAA compliant password requirements

Organizations in the healthcare sector often align their password policies with NIST guidelines to meet both HIPAA requirements and general best practices for information security. 

Why is password security so important?

Passwords serve as the first line of defense against cyber threats. Password security protects personal information, organizational assets, and critical infrastructure. When you adhere to the NIST SP 800-63-3 guidelines, you fortify your information security infrastructure. 

The importance of NIST password guidelines

The National Institute of Standards and Technology (NIST) password guidelines are highly regarded and widely adopted in cybersecurity due to their comprehensive and research-backed approach. The guidelines' importance lies in their ability to provide a modern and effective framework for enhancing the security of authentication mechanisms.

See also: 

• HIPAA Compliant Email: The Definitive Guide
• Top 10 HIPAA compliant email services
  
  

How to make passwords HIPAA compliant

You can put in place a few measures to keep passwords coherent with NIST and HIPAA requirements:

• Use a minimum of 8 characters: NIST states that passwords can be up to 64 characters long if they're protecting particularly sensitive data.
• Avoid password hints: Creating hints such as “my last name” or “my anniversary” can seriously compromise the integrity of your passwords and should be avoided.
• Create memorable passwords: NIST no longer suggests unnecessarily complicated or obtuse passwords, as these can lead to weaker passwords in the long run. Your password should be sufficiently unique and memorable to avoid the dreaded Post-it note on the computer monitor.
• Vet passwords against a list of common/weak options: NIST guidance suggests that passwords should be vetted against a list of common passwords (such as “password,” “123456789,” and so on). 

Go deeper: 5 Steps to improve password security in healthcare

FAQs

How can one tell if a password is weak or commonly used?

Covered entities and business associates can employ a password manager equipped with Health Check features that conduct comparable scans while notifying users about any vulnerable, reused, or compromised passwords.

How safe is a 12-character password?

A 12-character password is highly safe because it is nearly impossible to guess for a person and is considered the best safeguard against threat actors. Combining lowercase letters, uppercase letters, numbers, and symbols will make it much better for you.

Does NIST require password expiration?

No. NIST recommends resetting passwords only when necessary. While many organizations traditionally enforce a NIST password policy where passwords expire every 60 to 90 days, NIST diverges from this approach. NIST does not recommend password expiration as a general practice.