HIPAA Password Complexity Doesn’t Work

Passwords are one of the most significant sources of frustration in our daily digital lives, and the same goes for healthcare organizations. However, I believe that passwords don’t need to be such a problem.

Everyone is used to being asked to include special characters and numbers in their passwords, supposedly to increase security. Still, you might be surprised to learn that HIPAA doesn’t actually require any particular complexity rules. Not only that, we have learned in recent years through evidence-based research that complexity rules for passwords just don’t work. In fact, they make things worse. Users often work around password rules in ways that are very predictable and reduce a healthcare organization’s security posture.

So, what does work?

There are three simple rules for creating effective passwords, and those are:

  • Length
  • Randomness
  • Uniqueness

Long passwords are great because they can be harder to guess than shorter passwords, but this doesn’t make them inherently secure. It’s important to keep in mind that a long password is only good if it is also random, meaning not something obvious that a hacker could guess (your children’s names, etc.). Also, “uniqueness” means using a password that you’ve never used before. You should always assume that any of your old passwords have already been breached and are available for hackers to find on the dark web. If you’re using the same password for social media as you are for your VPN, your VPN is at risk.

Implementing these changes might be a large culture shift for your organization, but taking the time to explain to your users why this is important and getting them involved will go a long way towards making your system secure. You should never discount the human element when thinking about the fundamental aspects of cybersecurity. This is why training and sharing knowledge with your organization’s users is so important.

For more information about best practices, check out this Webinar!

If you want to improve your healthcare organization’s cybersecurity, talk to a Matterform risk analyst today.

Scroll to Top