Does HIPAA mention anything about passwords?

Yes. Password and Password Management are explicitly stipulated in the following provisions:

First, under "Definitions" [45 CFR 164.304] of the "Security Standards for the Protection of Electronic Protected Health Information."

It states, "Password means confidential authentication information composed of a string of characters."

Secondly, Password Management [ยง164.308(a)(5)(ii)(D)] is one of the addressable specifications in "Administrative Safeguards" of the "Security Awareness and Training Standard."

The provision requires "procedures for creating, changing, and safeguarding passwords."

The Quest for the Perfect Password

The reality is there is no 100% unbreakable password. No matter how complex your password characters are, cyber actors have various ways to break through a vulnerable device. They can exploit by going through weak firewalls, inadequate antivirus, and more.

For instance, keylogger spyware can record your keystrokes, thereby identifying and recording your password without you knowing. A phishing attack can surreptitiously obtain sensitive information by diverting a user to a bogus page (such as a bank website) and tricking an unsuspecting user to key in login credentials.

The best password would be a combination of layers of protection and "best practices." Here are what the experts recommend:

  1. 1. Do not re-use or recycle passwords across different accounts.

    So that if one of your passwords gets exposed due to a data breach, your other accounts will not be compromised.

  2. 2. Do not use words that have anything to do with you or your identity (names and nicknames of family members, date of birth, anniversaries, school names, pet's name, favorite food, hobbies, vacation spot, the likes).

    These words make it easier for a hacker to predict your password.

  3. 3. Do not use words found in the dictionary as your password.

    Hackers use a "dictionary attack." It is a cracking application technology that systematically enters every word in the dictionary to key in passwords.

  4. 4. Do use a long string and strong password.

    14 is the ideal number of password characters. Use a combination of letters, numbers, and symbols that have no apparent correlation with each other.

    For instance "m?Qi6cK7%L+In1p" is a far superior password than "mynameisbondjamesbond."

  5. 5. Do not use predictable patterns such as numbers, symbols, and capitalization at the beginning or end of a password.

    Hackers are aware that this is a very common mistake of people creating a password.

  6. 6. Use a "password manager" technology (e.g., Dashlane, LastPass, and Sticky Password).

    This tool creates strong, unique passwords for all of your accounts.

    Instead of memorizing dozens of carefully crafted passwords, you only have to remember one master key.

  7. 7. Use two-factor authentication protection.

    No matter how strong a password is, it can be leaked or cracked.

    It is wise to add another layer of protection-for instance, an SMS verification function and the Google Authenticator.

  8. 8.

    Install adequate antivirus protection on all devices.

  9. 9. Finally, for organizations, enable device and online account protection and defenses.

    Here are some examples:

    • Setting a maximum number of login attempts
    • Enabling login timeout
    • Installing a next-generation firewall

Has there been a HIPAA enforcement case involving password or password management non-compliance?

Yes, there have been several HIPAA enforcement cases involving password and password management non-compliance. Here is an example of an actual violation that resulted in a $2.75 million settlement.

On March 21, 2013, the University of Mississippi Medical Center (UMMC) informed the Office of Civil Rights (OCR) of a breach involving electronic Protected Health Information (ePHI) of approximately 10,000 individuals.

The issue originated from a missing laptop reportedly stolen from the hospitals' Medical Intensive Care Unit (MICU). The device had inadequate protection despite having access to the ePHI of approximately 10,000 patients. It had a generic or common username and password for all users.

Following the incident, OCR's investigation uncovered more HIPAA violations, including failure to address risk and vulnerabilities previously identified by the University of Mississippi Medical Center, as well as non-compliance to HIPAA Administrative, Technical, and Physical Safeguards.

Due to these findings, UMMC paid a resolution amount of $2,750,000 and adopted a corrective action plan required by the OCR.

References:
  1. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ummc/index.html
  2. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html
  3. https://www.law.cornell.edu/cfr/text/45/164.308
  4. https://www.law.cornell.edu/cfr/text/45/164.304
  5. https://www.pandasecurity.com/en/mediacenter/tips/how-to-protect-your-password