There are several risks associated with storing your passwords in Google Sheets, including its lack of end-to-end encryption by default and lack of secure sharing capabilities.
The Health Insurance Portability and Accountability Act (HIPAA) is U.S. legislation created to set national privacy and security standards to protect the privacy of patient health information and prevent data breaches. All organizations associated with healthcare, including health insurance companies and business associates, fall under HIPAA regulations – meaning they have to comply with HIPAA compliance requirements.
Under HIPAA’s section covering Security Awareness and Training, HIPAA states that organizations are required to have “procedures for creating, changing and safeguarding passwords.” A password manager helps ensure your organization is HIPAA compliant by generating strong passwords and securely storing them in an encrypted vault.
Continue reading to learn more about HIPAA password requirements and how a password manager can help meet them.
HIPAA password requirements
While HIPAA doesn’t require a password manager, it does mandate that password management be a part of your HIPAA compliance plan. Here are the credential security practices that align with the National Institute of Standards and Technology’s (NIST) guidance on HIPAA password requirements.
- Password complexity: HIPAA does not have specific password complexity requirements, however, NIST recommends that employees understand how to create strong, unique passwords and how to secure them.
- Password rotation: HIPPA doesn’t currently require password changes, and NIST discourages employees from regularly changing passwords. However, NIST does encourage that passwords be changed immediately, if they have been compromised.
- Multi-Factor Authentication (MFA): NIST recommends that MFA be enabled whenever it’s available.
- Password sharing: HIPAA doesn’t address password sharing specifically, however, NIST strongly recommends prohibiting users from sharing passwords to systems and data that contains electronically stored, protected health information (ePHI).
- Monitoring and logging: IT admins should monitor user login activity to ensure users aren’t attempting to access records or systems irrelevant to their job duties.
- Offboarding: Organizations should have offboarding procedures in place to immediately disable user passwords and access to PHI when they leave the company or change positions. NIST recommends having different procedures in place for employees who leave voluntarily versus those who are terminated involuntarily.
The advantages of using a password manager for HIPAA compliance
Here are some of the advantages of using a password manager for HIPAA compliance.
Create strong passwords
One struggle that many people face is creating strong passwords for different accounts. This struggle often leads to people using weak passwords that are easy for cybercriminals to guess. Alternatively, people resort to reusing passwords for multiple accounts, placing several accounts at risk of compromise if only one is breached. Since password managers aid with strong password creation, users will no longer need to worry about having to create strong passwords on their own. Additionally, organizations can ensure that each of their employees is using strong passwords to protect organizational accounts and sensitive data.
Multi-factor authentication
It can be difficult to ensure users are enabling MFA for every account that has it available, and while it’s required to ensure HIPAA compliance, many users still fail to enable it. With a password manager, IT admins can enforce the use of MFA for every account. Some password managers like Keeper® can also store MFA codes in their secure digital vault, simplifying the process of logging in to sites and systems that have MFA enabled.
Role-Based Access Controls (RBAC)
Some of the best password managers allow IT admins to set up and enforce role-based access controls. With RBAC, IT admins can easily adjust access levels and disable accounts if users leave the organization or switch job duties. RBAC not only enhances security and meets HIPAA compliance requirements, but it also helps reduce costs and administrative overhead.
Secure storage
The best password managers can store more than just passwords, including passkeys, files and documents. Everything stored in a zero-knowledge password manager is encrypted at rest and in transit to ensure that only authorized users can access it. This safeguards that data from getting into the hands of cybercriminals and meets HIPAA’s compliance requirement of only granting access to people who have the appropriate access rights.
What to look for in a HIPAA-compliant password manager
Not all password managers are created equal. Here’s what your organization should look for in a HIPAA-compliant password manager.
Strong encryption
A password manager is only as strong as the encryption it offers. The password manager you choose to protect your organization should be both zero trust and zero knowledge, ensuring only authorized individuals have the means to access the password manager vault and that encryption and decryption always occur locally on the user’s device. Additionally, the password manager should also safeguard data with AES 256-bit encryption and Elliptic Curve Cryptography (ECC), which is considered to be the most robust encryption in the cybersecurity industry.
2FA support
The password manager you choose should also support Two-Factor Authentication (2FA). Enabling 2FA on your password manager account ensures that it’s protected with an additional layer of security to prevent unauthorized access. The password manager should offer the following 2FA options:
- SSO authentication
- FIDO2 WebAuthn hardware security keys
- Passkeys
- Biometric authentication (e.g. FaceID, Touch ID, Windows Hello)
Email auto-provisioning
With email auto-provisioning, password vaults can be provisioned to thousands of users with a domain match on email addresses. This makes it easy for large-scale organizations to deploy the password manager to their employees.
Choose Keeper as your HIPAA-compliant password manager
A password manager like Keeper can assist your organization with adhering to HIPAA password requirements by generating strong passwords, enforcing and enabling MFA, implementing role-based access controls and providing secure storage. Since Keeper never has access to user data, a Business Associate Agreement (BAA) is not required for HIPAA compliance.
Ready to protect your healthcare organization from password-related data breaches and ensure HIPAA compliance? Start a free 14-day business trial of Keeper today.