HIPAA General
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an US law that aims to protect patient's medical data and health information and applies to doctors, hospitals, health care service providers and other entities that handle medical data.
HIPAA requires that password management is part of your HIPAA compliance plan. According to 45 CFR §164.308(a)(5) covered entities must implement a "Procedures for creating, changing, and safeguarding passwords". Please note that password management and password managers are not the same thing. Password management refers to the act of managing passwords whereas a password manager is a piece of software that helps to manage the passwords. So even so HIPPA mandates the management of password it does not explicitly specify how to do that.
HIPAA requirements for password managers
Password managers as they do not store Protected Health Information (PHI) do not need to HIPAA compliant themself. You do not have to worry about Business Associate Agreements or Business Associate Subcontractor Agreements. But you need to demonstrate to auditors that you manage passwords which involves how you create, store, change and safeguard them.
In detail you will have to answer the following questions:
- Who used that password?
- Who has access to that password?
- When did you change the password for the last time?
- What is your password policy?
- Do your users comply with the password policy?
- Which security measures do you have in place to protect your Passwords?
- How do you find out that a password has been compromised?
- How is the process integrated into your on an off boarding of users?
So even password managers are not strictly mentioned in HIPAA, password managers are a necessary tools to comply with HIPAA and demonstrate auditors the correct practise.
How does Psono answer these questions
Psono is one of the best password managers in class. It provides military grade security with enterprise level management functionality and tries to improve productivity of its users.
- Who used that password?
Psono Enterprise Edition has detailed audit logs, that log the access to all secrets with metadata like usernames and ip addresses. Audit logs are shipped to a separate server to prevent any tempering.
- Who has access to that password?
You can check the permissions for for all passwords, know which user has access. The option to audit access based on groups simplifies the audit process. You are in full control and can easily demonstrate to auditors compliance.
- When did you change the password for the last time?
The full history of a password is tracked in addition to the date that the password has been changed the last time. A full history demonstrate that the password was also really changed.
- What is your password policy?
You can enforce random passwords that are strong enough to withstand any bruteforce attack and can create passwords with a specific length and complexity requirement.
- Do your users comply with the password policy?
The built in security report allows auditors to check the general compliance of users without exposing the actual passwords. The overall acceptance of policies can be checked and drilled down to independent users and passwords.
- Which security measures do you have in place to protect your Passwords?
Psono is using strong encryption to protect the data in transit and at rest. In addition you can enforce various second factor to increase the overall security of the system. With the option to host Psono on premise you can implement additional safeguards like network restrictions and VPN access.
- How do you find out that a password has been compromised?
Psono breach detection functionality can be used to check all passwords against a the public service of haveibeenpwned.com which is the biggest provider of data breaches with over 10,000,000,000 compromised accounts in their database.
- How is the process integrated into your on an off boarding of users?
With Psono's capability to connect to your LDAP, SAML or OIDC provider you can manage access centrally. Users are automatically onboarded with their accounts, granted access based on their groups and disabled once they leave the company without any extra effort or additional time consuming processes.
If you are ready to go the next step reach out to sales@psono.com and learn more about how we can help you.
