Password security for electronic protected health information (ePHI) is a fundamental part of any HIPAA compliance program, but there is no one right way. HIPAA allows a great deal of choice in how to secure data with passwords, but one must choose carefully to ensure the information is protected from both casual snooping and sophisticated hacking.
HIPAA password management requirements are quite open-ended, only specifying that one must institute “procedures for creating, changing, and safeguarding passwords,” notes Gary Nelson, healthcare practice leader with Schellman & Company, a security and privacy compliance assessor based in Tampa, FL.
To properly determine sufficiency for password protection, organizations should perform risk assessments for the systems or services that use or house ePHI, Nelson says. While HIPAA itself does not specify minimally defined requirements, the risk assessment could be paired with password or authentication requirements from standards such as NIST, PCI, or HITRUST to help address the HIPAA safeguard and also define what would serve as optimal for the organization.
Read more: www.ahcmedia.com
About the Author
Gary Nelson is a Principal at Schellman. Gary currently helps lead Schellman’s HITRUST and DEA EPCS practices and has been a leading expert of both HITRUST for healthcare service organizations and DEA EPCS for providers of electronic prescription and electronic pharmacy applications. Having completed over 500 service audits, Gary is one of the most experienced service auditors in the United States.More Content by Gary Nelson