How Often Should I Be Changing My Passwords for HIPAA Compliance?

/
iStock_Password_XSmall.jpg

I recently sat in a breakout session at a major medical conference where the session topic was the HIPAA Security Rule. The session was supposed to "answer your nagging questions" about the Security Rule. Yet, every question from the audience seemed to be met with as much ambiguity as the first reading of the Security Rule itself seems to have. Toward the end of the session, the presenter (a lawyer) got what I thought was a softball question, "How often should we change our passwords?".  

Incredibly, after some impressive tap dancing, the session ended with no questions being answered. I wanted to scream out "45 to 90 days!!! That's the answer!". Of course, there is more to it than that, but generally speaking 45-90 days is often enough in most environments.  

What people wanted to know was a ballpark number. The vast majority of the attendees at this conference were practice administrators and work in small independent practices with 1-10 providers and perhaps 5-50 employees in the office. They're not IT people, so they had no idea what would be "reasonable and appropriate". Should it be a year? Every 6 months or every 30 days? All they needed was a simple straightforward number with an explanation why and what else they might want to consider for their own office.

It would be hard to argue that 45-90 days isn't "reasonable and appropriate". It's at least a good starting point if you’re presently not doing anything on password management. It's a nice balance between the need for security and the need for usability. Then, as you continue to analyze your risk, you can revisit your password change policy and adjust as needed.

If this is an area you are needing to address, read NIST 800-118 and give a copy to your IT support.  Then examine every system you have that has the ability to be secured with a username and/or password and decide for each what is best for your environment.  I'd recommend not going over 90 days. Whatever you decide, implement it and stick to.  Be sure to document your reasoning and decision, write out an internal policy, train your staff, and keep the policy and any related documentation as evidence of your Security Rule compliance.

If you found this article helpful, please use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter. 

Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.

/ / Comment

Phil Cooper

Phil Cooper is a serial entrepreneur and co-founder of Skysail Software. He co-founded NetTech, an IT services company in 1995 which he and partner Jeff Franks sold to MapleTronics Computers in 2009. He currently serves as CIO for MapleTronics and is the Chief Software Architect for Skysail Software. His years in the IT services field have provided ample opportunity to work with physicians and administrators in the medical community. This first hand experience has helped him understand the struggles that many independent practices face complying with HIPAA, especially the Security Rule. Along with Franks, Cooper decided it was time for the right tools to be built to assist the medical community with making HIPAA compliance manageable. So, Skysail Software was born. He has also served seven years on the board of Riverside Christian Academy, five as Board Chair, and has noted that it has been "one of the most significant and rewarding experiences of my life". He is an avid aviation buff and once had a rock band called Gantry...yes, along with Franks. Phil and his wife Debbie have two boys, Tyler and Ben, and reside in Fayetteville, TN.