I was recently asked the following question: “Can Health Centers adopt the less stringent password measures recently updated in [NIST Special Publication (SP) 800-63-B] and still be compliant under the HIPAA Security Rule?” This is a great question that isn’t quite as simple as it may seem. It requires an understanding of what the NIST Digital Identity Guidelines are, their place in enforcement, and how to interpret HIPAA requirements as they relate to authentication.
What are the HIPAA Security Rule requirements for Authentication?
First, let’s cover HIPAA; more specifically the HIPAA Security Rule requirements for Authentication. Below is the HIPAA Requirement for Authentication:
Standard 164.312(d): Person or Entity Authentication
“Implement procedures to verify that a person or entity seeking access to electronic protected health information [ePHI] is the one claimed.”
That’s it. Not a lot of information there on password length, complexity, change, reminders, storage, etc. This is because the HIPAA Security Rule is not prescriptive. Rather, it is up to the organization to conduct a Security Risk Analysis and, based on their determination of risk, select reasonable and appropriate authenticators. This is what makes HIPAA Compliance hard. How does one know if their authenticators are “reasonable and appropriate”?
That’s where standards become useful. Following an industry standard will not itself guarantee compliance, but it can help demonstrate that an organization is implementing “reasonable and appropriate” controls. Furthermore, the HHS Office for Civil Rights (OCR), the organization responsible for enforcing the HIPAA Privacy and Security Rules, issued guidance in October 2016 that actually references the NIST SP 800-63B Standards. This does not imply that OCR requires these standards, but certainly indicates that following them would align with OCR’s expectations.
NIST SP 800-63B Digital Identity Guidelines
That brings us to the NIST 800-63-B Digital Identity Guidelines. Now, it should be understood that these guidelines are:
- NOT enforceable outside of the federal government
- NOT one-size fits all requirements
- Risk-Based guidelines that encompass Identification and Authentication
The guidelines outline three Assurance Levels depending on the level of risk presented by the information in question. These calculations are outside the scope of this article other than to say that when accessing ePHI, the calculation will generally result in Assurance Levels which will require Multi-Factor Authentication. However, this article is about passwords, so we’ll focus there.
NIST Guidelines - NIST SP 800-63B Appendix A – Strength of Memorized Secrets
Assume, based on your assessment of risk, that you have determined that a password is appropriate as either the sole identifier or as one factor in a two-factor authentication system. What do the guidelines recommend for the password? This is where NIST SP 800-63B Appendix A – Strength of Memorized Secrets comes into play. These are the standards you will most often hear quoted and where the “less stringent password measures” statement comes from. Again, Appendix A starts with the words “This Appendix is informative” (i.e. these are not enforceable standards).
Now, what does Appendix A say?
- “Research has shown … that users respond in very predictable ways to the requirements imposed by composition rules”. For example, “Password1!” as a complex password. Therefore, complexity rules typically do not increase password strength.
- “Users should also be able to include space characters to allow the use of phrases”. This increases usability and encourages the use of passphrases.
- “[I]t is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose.”
- “Password length has been found to be a primary factor in characterizing password strength”.
- “The minimum password length that should be required depends to a large extent on the threat model being addressed”.
- “Online attacks where the attacker attempts to log in by guessing the password can be mitigated by limiting the rate of login attempts permitted”.
- “Passwords are salted with a random value and hashed, preferably using a computationally expensive algorithm” – Work with your software vendor to make sure passwords are hashed using an appropriate algorithm (examples include PBKDF2 and BCrypt)
- “Users should be encouraged to make their passwords as lengthy as they want, within reason” – Allow at least 64 characters.
NIST SP 800-63B also includes recommendations for usability (this is for the developers):
- Support Copy and Paste into password fields
- Support Password Managers
- “Clearly communicate information on how to create and change [passwords]”
- “Clearly communicate [password] requirements”
- “Do not impose other composition rules (e.g. mixtures of different character types) on [passwords]”
- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise
- “Provide clear, meaningful, and actionable feedback when chosen passwords are rejected (e.g., when it appears on a “black list” of unacceptable passwords or has been used previously).”
The guidance to NOT impose composition rules and NOT require periodic password changes are the areas where readers tend to find these new rules to be “less strict”. However, viewing them as a part of the larger picture shows that there are actually other controls to put in place that compensate for the loosening of these restrictions.
In answer to the question: “Can Health Centers adopt the less stringent password measures recently updated in NIST SP 800-63B and still be compliant under the HIPAA Security Rule?”, the short answer is “Yes, HIPAA does not actually prescribe a specific standard or set of rules for passwords, so these new measures won’t directly affect compliancy”.
With that being said, organizations should take a risk-based approach to their password rules, and a standard such as NIST SP 800-63-B can certainly be used to demonstrate that their choices are “reasonable and appropriate.” In order to do so, however, the areas where the standard is less stringent (i.e. password changes and composition rules) cannot be taken in isolation. The new guidelines are meant to be followed in their entirety as they are complimentary to each other and were designed to work together.
Online’s Risk, Security, and Privacy practice has worked with hundreds of organizations to assess their current security controls - including authentication strategies - and help design solutions that meet their unique compliance and security requirements. Online believes that a quality security program is not always about implementing the strictest controls, but rather finding a solution that is efficient, user-friendly, and right-sized fhealth centor your organization.
Is your organization unsure of how to work with the new NIST AP 800-63B Digital Identity Guidelines? Feel free to leave a comment below with any questions, or reach out to me directly, I’d be glad to help.