As technology becomes more and more sophisticated, so do the strategies hackers use in data breaches. Now more than ever, your HIPAA compliance program should establish safeguards for every area of data protection – including passwords. According to the 2020 Verizon Data Breach Investigations Report, compromised passwords are responsible for 81% of hacking-related breaches.¹
While we all might agree that a password needs to follow certain rules to be considered secure, there is not a general consensus about what those rules should be. Many password guidelines that have been widely used for years may no longer reflect current industry standards.
That’s why the National Institute of Standards and Technology (NIST) has published a new set of password guidelines (also known as the NIST Special Publication 800-63B).² These recommendations are considered best practice for anyone who wants to make sure that a weak or compromised password is not the source of a data breach.
- Length is more important than complexity
It’s easy to think that complexity is the most important factor in creating a secure password, but research shows that length is actually far more important. If a longer password is stolen, it is harder to decrypt. NIST recommends at a minimum eight character passwords.
Research has also shown that when an entity requires someone to create a new password with greater complexity – e.g., special characters, numbers, uppercase letters, and symbols – their password actually becomes less secure. In light of this, NIST has removed complexity requirements from its recommendations and put a renewed emphasis on length.
- Get rid of periodic resets
At some point, you’ve probably received a password reset email just a few months after creating a new password. For a long time, this was considered best practice. However, NIST does not recommend periodic resets. Research found that they actually decrease security. When asked to change passwords, people often create ones that are very similar to old passwords. If a hacker already knows a previous password, it makes guessing the new one much easier.
- Enable “Show password while typing”
It’s very easy to mistype while typing in a password. Typos are much less frequent when a user can see what they are typing before they hit enter. If the inability to see what has been typed is holding someone back from creating a strong password, making it so passwords can be seen while typing eliminates this issue. That’s why NIST recommends enabling this feature.
- Allow “Paste-in” and “Auto-fill” features
Much like allowing passwords to be visible while being entered, paste-in technology also makes passwords easier to enter, in turn making them less susceptible to data breach. Many users have dozens of passwords for all the accounts they use in the course of their workday. This is why password managers with auto-fill capabilities are so helpful. Implementing this safeguard will not only make everyone’s lives easier, but it’s also an extremely effective way to keep company data safe.
- Use breached password protection
Did you know there is a “blacklist” for passwords? Many of them contain similar phrases or easy-to-guess details. These include dictionary words, repetitive or sequential strings of words, passwords compromised in previous breaches, variations on the site name, and commonly-used phrases. If your password falls into any of these categories, odds are that hackers and cybercriminals are more likely to guess it, and you should update it.
- Skip password hints
It might be a hint for you, but it can also be a hint for hackers. Whether it’s a hint that you enter yourself or a security question, NIST recommends against it. There is so much personal information available on the internet that cyber criminals might have no problem guessing the answers, thereby accessing your account.
- Limit number of login attempts
Maybe a hacker won’t guess your password on the first or second try, but by the time they give it a third or fourth try, many are successful (this is known as a brute force attack). If you want to prevent hackers from doing this, make sure there are parameters in place when it comes to the number of login attempts allowed before the account locks.
- Use multi-factor authentication
Multi-factor authentication (MFA) is one of the most important safeguards you can implement to protect from a data breach. This is a good rule of thumb when deciding what types of authentication to employ:
● Something you know (like a password)
● Something you have (like a phone)
● Something you are (like a fingerprint)
According to the new NIST requirements, multi-factor authentication is required for securing any personal information available online. Of course, this has implications for HIPAA as well. The new requirements also give guidance on the types of tools that should be used for authentication. So even if you are already using MFA, you may want to double check that what you are using is still considered a secure tool.
How can Total HIPAA help?
Here at Total HIPAA, data security is of the utmost importance to us. Our team of professionals has the knowledge and expertise to create a HIPAA compliance plan customized for your business, that will not only help you protect your data, but your business as well.
Want to know more about how we can help you become (and stay) HIPAA compliant?
Email us at info@totalhipaa.com. Or, get started here.