The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an US law that aims to protect patient's medical data and health information and applies to doctors, hospitals, health care service providers and other entities that handle medical data.
HIPAA requires that password management is part of your HIPAA compliance plan. According to 45 CFR §164.308(a)(5) covered entities must implement a "Procedures for creating, changing, and safeguarding passwords". Please note that password management and password managers are not the same thing. Password management refers to the act of managing passwords whereas a password manager is a piece of software that helps to manage the passwords. So even so HIPPA mandates the management of password it does not explicitly specify how to do that.
Password managers as they do not store Protected Health Information (PHI) do not need to HIPAA compliant themself. You do not have to worry about Business Associate Agreements or Business Associate Subcontractor Agreements. But you need to demonstrate to auditors that you manage passwords which involves how you create, store, change and safeguard them.
In detail you will have to answer the following questions:
So even password managers are not strictly mentioned in HIPAA, password managers are a necessary tools to comply with HIPAA and demonstrate auditors the correct practise.
Psono is one of the best password managers in class. It provides military grade security with enterprise level management functionality and tries to improve productivity of its users.
Psono Enterprise Edition has detailed audit logs, that log the access to all secrets with metadata like usernames and ip addresses. Audit logs are shipped to a separate server to prevent any tempering.
You can check the permissions for for all passwords, know which user has access. The option to audit access based on groups simplifies the audit process. You are in full control and can easily demonstrate to auditors compliance.
The full history of a password is tracked in addition to the date that the password has been changed the last time. A full history demonstrate that the password was also really changed.
You can enforce random passwords that are strong enough to withstand any bruteforce attack and can create passwords with a specific length and complexity requirement.
The built in security report allows auditors to check the general compliance of users without exposing the actual passwords. The overall acceptance of policies can be checked and drilled down to independent users and passwords.
Psono is using strong encryption to protect the data in transit and at rest. In addition you can enforce various second factor to increase the overall security of the system. With the option to host Psono on premise you can implement additional safeguards like network restrictions and VPN access.
Psono breach detection functionality can be used to check all passwords against a the public service of haveibeenpwned.com which is the biggest provider of data breaches with over 10,000,000,000 compromised accounts in their database.
With Psono's capability to connect to your LDAP, SAML or OIDC provider you can manage access centrally. Users are automatically onboarded with their accounts, granted access based on their groups and disabled once they leave the company without any extra effort or additional time consuming processes.
If you are ready to go the next step reach out to firstname.lastname@example.org and learn more about how we can help you.