The HITRUST CSF is a prescriptive set of controls designed to meet the requirements of multiple regulations and standards, including HIPAA, NIST, PCI DSS, and the ISO/IEC 27000-series. Organizations in the healthcare industry, and other sectors that handle sensitive information, use the HITRUST CSF as a comprehensive and flexible framework to ensure data security and maintain compliance.
The HITRUST CSF includes password security controls that are more specific and comprehensive than many other compliance frameworks, including HIPAA. Let’s examine the HITRUST CSF controls, the logic behind them, and how Keeper’s password management platform can help you meet them.
Force password periodic password resets
HITRUST CSF controls state that privileged user accounts should be reset every 60 days, and all other accounts every 90 days. This limits the potential attack window in the event that a password is compromised. Using Keeper’s admin panel, IT administrators can easily force periodic password resets, as well as define and enforce other password security policies.
Store and transmit passwords in encrypted or hashed form
Hashing or encrypting passwords ensures that, even if a cybercriminal manages to compromise
passwords in transit or at rest, they’ll access only unusable “junk” characters.
Keeper’s zero-knowledge encryption methods ensure that only the user can access and decrypt their stored files. Keeper uses PBKDF2 to derive authentication keys based on each user’s master password, then generates individual record-level AES-256 encryption keys locally, on the device level, to encrypt each stored password. Keeper’s cloud only holds the encrypted ciphertext of each password.
Do not store password files and application system data together
Isolating sensitive data and systems (also known as network segmentation) helps mitigate cyber risks. In the event that your network is breached, by making it more difficult for attackers to move laterally within your network. Network segmentation also simplifies compliance. Segmenting your network into zones that contain data with similar compliance requirements reduces compliance scope.
Every Keeper user gets a private digital vault to store and manage their passwords, files, and private client data. Passwords are stored in the encrypted digital vault, completely separate from the rest of your network.
Enforce the use of strong passwords; prohibit the use of too many identical consecutive characters
A strong password consisting of a random string of letters, numbers, and symbols is the best defense against both brute-force and targeted password-based attacks. Left to their own devices, most users won’t choose a truly random password. Keeper solves this problem by automatically generating strong, unique passwords for all websites and apps. Administrators can use the Keeper admin panel to ensure that employees are adhering to password strength rules.
When passwords are changed, ensure that the new password is significantly different from the last one
This control prevents targeted attacks where a cybercriminal attempts to compromise a system using a specific user’s former password, hoping they’ve used something similar. Keeper automatically generates strong, unique passwords each and every time, and gives IT administrators the ability to force end users to use Keeper’s automatic password generator, preventing end users from choosing a “new” password that amounts to a minor variation of their last one.
Maintain a record of users’ previous passwords and prevent password reuse
This is another control to prevent brute-force and targeted password attacks.
Keeper automatically backs up every record created by a user through the Keeper Cloud Security Vault architecture. All record changes are likewise backed up, and a record version is created upon each change event. Each record is identified by a record UID, and each record can have an unlimited number of version identifiers. In addition to ensuring that a password or record change is never accidentally lost, Version History also ensures that organizations have access to password record histories for forensics or compliance purposes.
For more information on how Keeper complies with HITRUST CSF standards, please reach out to our team at firstname.lastname@example.org.