HIPAA and Passwords
- Title II. Title II requires national standards for electronic healthcare transactions.
- The Security Rule. The Final Rule on Security Standards was issued in Feburary 2003. It lays out three types of security safeguards required for compliance: administrative, physical, and technical
- Technical Safegards. Technical Safegards describe the access control to computer systems and protection of patient health information from interception over electronic networks. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. It consists of Title I and Title II. Title I describes health care access, portabilty and renewability. Title II describes the measures for administration to protect from fraud and abuse.
While the Technical Safegards section does not specify exact password criteria, it does suggest the use of strong authentication. Of course, biometrics are the only true way of ensuring a person's true identity. For most however, biometrics is not affordable or does not integrate well with existing systems. Increasing password strength by enforcing longer passwords, more complex passwords or rejecting common passwords goes a long way to ensure the uniqueness of an end-user.
Many hospitals and healthcare providers have adopted nFront Password Filter to help them ensure better data security by disallowing weak, easily hacked passwords. Some use dictionaries of common passwords that have been extended to over 2 million words common to the healthcare industry. Such measures ensure a much lower chance of an external password compromise. If passphrases (essentially a long sentences) are encouraged then there will be less of a chance of an end-user writing down a password so chances of internal hacking should not go up as a result of enforcing better passwords.