Yes. Password and Password Management are explicitly stipulated in the following provisions:
First, under "Definitions" [45 CFR 164.304] of the "Security Standards for the Protection of Electronic Protected Health Information."
It states, "Password means confidential authentication information composed of a string of characters."
Secondly, Password Management [§164.308(a)(5)(ii)(D)] is one of the addressable specifications in "Administrative Safeguards" of the "Security Awareness and Training Standard."
The provision requires "procedures for creating, changing, and safeguarding passwords."
The reality is there is no 100% unbreakable password. No matter how complex your password characters are, cyber actors have various ways to break through a vulnerable device. They can exploit by going through weak firewalls, inadequate antivirus, and more.
For instance, keylogger spyware can record your keystrokes, thereby identifying and recording your password without you knowing. A phishing attack can surreptitiously obtain sensitive information by diverting a user to a bogus page (such as a bank website) and tricking an unsuspecting user to key in login credentials.
The best password would be a combination of layers of protection and "best practices." Here are what the experts recommend:
So that if one of your passwords gets exposed due to a data breach, your other accounts will not be compromised.
These words make it easier for a hacker to predict your password.
Hackers use a "dictionary attack." It is a cracking application technology that systematically enters every word in the dictionary to key in passwords.
14 is the ideal number of password characters. Use a combination of letters, numbers, and symbols that have no apparent correlation with each other.
For instance "m?Qi6cK7%L+In1p" is a far superior password than "mynameisbondjamesbond."
Hackers are aware that this is a very common mistake of people creating a password.
This tool creates strong, unique passwords for all of your accounts.
Instead of memorizing dozens of carefully crafted passwords, you only have to remember one master key.
No matter how strong a password is, it can be leaked or cracked.
It is wise to add another layer of protection-for instance, an SMS verification function and the Google Authenticator.
Install adequate antivirus protection on all devices.
Here are some examples:
Yes, there have been several HIPAA enforcement cases involving password and password management non-compliance. Here is an example of an actual violation that resulted in a $2.75 million settlement.
On March 21, 2013, the University of Mississippi Medical Center (UMMC) informed the Office of Civil Rights (OCR) of a breach involving electronic Protected Health Information (ePHI) of approximately 10,000 individuals.
The issue originated from a missing laptop reportedly stolen from the hospitals' Medical Intensive Care Unit (MICU). The device had inadequate protection despite having access to the ePHI of approximately 10,000 patients. It had a generic or common username and password for all users.
Following the incident, OCR's investigation uncovered more HIPAA violations, including failure to address risk and vulnerabilities previously identified by the University of Mississippi Medical Center, as well as non-compliance to HIPAA Administrative, Technical, and Physical Safeguards.
Due to these findings, UMMC paid a resolution amount of $2,750,000 and adopted a corrective action plan required by the OCR.