“Despite Data Thefts, the Password Endures” with Implications for HIPAA Compliance
By Ed Jones III, Author and President of HIPAA, LLC.
Twitter: @HIPAAsafeguards
The May 22, 2014, Wall Street Journal discusses the enduring computer “password” in the article referenced in the title, which is available online. The article states: “[d]espite data breaches and warnings from security experts, people cling to easy-to-remember passwords and often use the same ones for many accounts.”
With respect to HIPAA Security Rule compliance, Carolyn Hartley and I have addressed password management in two contexts in our book: HIPAA Plain & Simple: After the Final Rule. Foreword by Louis W. Sullivan, MD. Chicago, IL: American Medical Association, 2014. In the context of workforce member security awareness and training:
“Passwords should be changed periodically based on threat exposures (e.g., every 30, 60, or 90 days, with timing an output of the practice’s risk analysis). Implement and carry out sanctions for any workforce member who posts a password on a workstation terminal or desktop, or who shares a password with other workforce members.” [p.168]
In the context of access control:
“Change passwords according to a timetable based on your risk analysis and policies and procedures. We recommend that passwords contain at least seven alphanumeric characters to make them difficult to decode or guess and that they be changed every 30, 60, or 90 days, depending on outcomes from your practice’s risk analysis.” [p.187]
While those descriptions relate directly to medical practices, they are germane to covered entities and business associates generally and to personal and business practice as well.
The National Institute of Standards and Technology (NIST) address password management in considerable detail in its publications, and we offer brief recommendations from two of those publications here.
In its April 2009 Guide to Enterprise Password Management, NIST Special Publication (SP) 800-118 (Draft), NIST makes the following four recommendations in the Executive Summary:
- “Create a password policy that specifies all of the organization’s password management-related requirements;
- Protect passwords from attacks that capture passwords;
- Configure password mechanisms to reduce the likelihood of successful password guessing and cracking; and
- Determine requirements for password expiration based on balancing security needs and usability.” [pp.ES-1 – ES-2]
This publication is available online.
The second NIST publication is the August 2013 Electronic Authentication Guideline, NIST SP 800-63-2, in which NIST makes the following statement:
“It is much more difficult to estimate the entropy in passwords that users choose for themselves, because they are not chosen at random and they will not have a uniform random distribution. Passwords chosen by users probably roughly reflect the patterns and character frequency distributions of ordinary English text, and are chosen by users so that they can remember them. Experience teaches us that many users, left to choose their own passwords will choose passwords that are easily guessed and even fairly short dictionaries of a few thousand commonly chosen passwords, when they are compared to actual user chosen passwords, succeed in “cracking” a large share of those passwords. [p. 105]
This publication is available online.
As long as we have the human element selecting passwords for use in the digital environment, we must rely on risk analysis to determine threats to and vulnerabilities in their use, especially when dealing with sensitive information such as protected health information in electronic format.
About the author: Ed Jones is an author, and owner and CEO of Cornichon Healthcare Select, LLC, Seabrook Island, SC, which provides consulting services pertaining to HIPAA/HITECH Act privacy and security compliance, and design of mobile strategies for healthcare transactions. At Cornichon’s Website, at www.HIPAASafeguard.net, Ed offers online privacy and security safeguard guidance and reference tools and policies and procedures for achieving compliance with HIPAA Privacy, Security, and Breach Notification Final Rule and Stage 1 and 2 Meaningful Use Security Measure compliance. He also is President of HIPAA, LLC, which owns www.HIPAA.com and www.HIPAASchool.com that provide accredited privacy and security training for covered entities and business associates. Ed is the co-author with Carolyn Hartley of ten books for the American Medical Association (AMA) and the American Dental Association (ADA). This post has been syndicated with the author’s permission.