HIPAA’s Security Rules stipulates that organizations must put safeguards in place to ensure that the integrity and security of protected healthcare information (PHI) are maintained. These safeguards fit into one of three categories: administrative, physical, or technical. Organizations must assess the scale of their operations, the types of patient information they hold, and the potential risks to the data while determining what safeguards to adopt.
One of the most fundamental safeguards that organizations of all sizes can adopt is using secure passwords. This safeguard is one of the most straightforward ways of ensuring that only authorized individuals may access patient information. The HIPAA Security Rule, under the section relating to Security Awareness and Training, stipulates Covered Entities (CEs), must implement “procedures for creating, changing and safeguarding passwords”.
There are several commonly known procedures for creating a “strong” password, such as:
- Upwards of eight characters
- Combination of upper case and lower case letters
- Inclusion of numbers at several points in their structure
- Use of special characters
- Avoiding using this like names or words used in a dictionary
- Using unique passwords for each account
Many experts recommend the use of password management tools is an efficient way of complying with HIPAA password policies. These tools are effective against those who want to obtain the passwords for malicious purposes as, although they can be hacked, the software saves passwords in an encrypted format. This renders them unusable by hackers and ensuring that patient data is kept secure.
Many cybersecurity experts recommend that employees should use two-factor authentication as an additional security measure to passwords. Two-factor authentication works by requiring a user to input a PIN code, which is sent to their phone or email account when they attempt to login to the system using their username and password. As a unique PIN code is issued with each login attempt, hackers cannot access the account using a compromised password alone.
Two-factor authentication fulfils HIPAA password requirements as it can act as an alternate, but equivalent, a security measure to creating, changing, and safeguarding passwords. This works due to the “addressable” requirements stipulated by HIPAA. Addressable requirements mean that Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.” As HIPAA password requirements function to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”, two-factor authentication may be used by healthcare professionals instead to protect their patient’s PHI.
Physical safeguards are often overlooked by healthcare professionals, but are very important, and arguably the easiest way to ensure that the integrity of PHI is maintained. The US Department of Health and Human Services Office of Civil Rights (OCR) recently emphasized the importance of physical safeguards in their May 2018 Cybersecurity newsletter.
Some physical safeguards include:
- Implementing workstation security policies and procedures to prevent unauthorized access to ePHI and impermissible disclosures
- Implement proper disposal policies and procedures for when ePHI is no longer required
- Implement policies covering the removal of ePHI from devices before they are re-used
- Facility access controls and validation procedures must be implemented, but there is flexibility for the CE as to how this is achieved
- Inventory of hardware to ensure that all devices which hold ePHI are accounted for
- Ensure that all devices containing patient information are stored in locked drawers when not in use
It is vital employees are made aware of the safeguards in place and trained in maintaining the integrity of PHI. Many facilities are already using safeguards such as two-factor authentication, but it is expected that as the use of mobile devices becomes more common in healthcare environments, PHI may be increasingly at risk. Ensuring that adequate physical, administrative, and technical measures are in place is vital to HIPAA compliance.