Free EditionThe Health Insurance Portability and Accountability Act (HIPAA) was passed by the U.S. Congress in 1996 to enact procedures that ensure the confidentiality, integrity, and availability of protected health information that is stored on electronic devices (ePHI). Any organization that creates, receives, maintains, interacts with, stores, or transmits ePHI must adhere to the HIPAA regulations.
HIPAA aims to protect individuals' medical records and other personal health and payment information against unauthorized access, theft, or loss. These mandates are applicable to all healthcare institutions, organizations, and business entities handling ePHI.
A password—being the basic securing means for digital information—is normally used by organizations to safeguard ePHI. HIPAA addresses password requirements as a part of its regulations to indicate the level of security that organizations should practice to protect ePHI from potential threats. Without unified password mandates, organizations would follow different standards for securing their ePHI, which might put some data more at risk than others.
The following table explains the HIPAA password and authentication requirements mentioned in the HIPAA Security Rule and how ADSelfService Plus helps your organization comply with them.
| HIPAA requirement | Requirement description | How ADSelfService Plus helps meet the requirement |
| Section § 164.308(a)(3)(i) | Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information. |
With ADSelfService Plus, you can configure stringent MFA settings based on AD OUs and groups, ensuring that only authorized users can access sensitive ePHI after successful identity verification. The configured MFA methods block unauthorized users from accessing this information. ADSelfService Plus also allows you to enforce high-assurance MFA methods, such as FIDO passkeys, biometrics, and YubiKey, for high-risk users, i.e., users who have access to ePHI with higher levels of sensitivity. |
| Section § 164.308(a)(3)(ii)(B) | Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. | |
| Section § 164.308(a)(5)(ii)(C) | Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. | ADSelfService Plus provides detailed reports to track user logins to machines and healthcare applications when MFA is enabled. These reports help IT administrators audit users' MFA attempts, along with timestamps, and the outcome of each attempt. Based on the outcome, admins can take immediate action if suspicious activity is detected. |
| Section § 164.308(a)(5)(ii)(D) | Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. | ADSelfService Plus provides strong password policies with settings pertaining to password length, special character usage, character repetition, and common pattern restriction. These settings are enforced during every end-user password change and reset action, which is secured using strong MFA methods. |
| Section § 164.312(d) | Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. | ADSelfService Plus provides strong, adaptive MFA with 20 different authentication factors, including FIDO passkeys and biometrics, to safeguard access to ePHI. It allows you to configure two or more MFA factors, and the success of all factors is mandatory before access is granted. |
The HIPAA Security Rule has always been a point of debate as it gives no specific details on password complexity and deems password management as "addressable." It is believed that this technology-neutral description of password management is intentional to permit flexibility as security best practices keep evolving with time. Many healthcare organizations use passwords as their first and sometimes only line of defense against cyberattacks.
Notably, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) looks to the password requirements specified by the National Institute of Standards and Technology (NIST) in the Special Publication 800-63B, so it's prudent that other healthcare organizations do the same.
ADSelfService Plus offers robust password policy and MFA settings to help your organization comply with the HIPAA requirements. You can create a custom password policy that meets HIPAA's requirements and enforce it for all or specific AD users based on their domain, OU, or group memberships. Below are some of the settings that ADSelfService Plus offers:
Satisfy the HIPAA password requirements by configuring the minimum password length and the inclusion of alpha-numeric characters in passwords.
Restrict users from re-using their previous passwords during password creation.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.
Satisfy the HIPAA password requirements by configuring the minimum password length and the inclusion of alpha-numeric characters in passwords.
Restrict users from re-using their previous passwords during password creation.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.
Satisfy the HIPAA requirements by securing all endpoints in your network using MFA.
Choose from 20 different authenticators to verify your users' identities.
Satisfy the HIPAA requirements by securing all endpoints in your network using MFA.
Choose from 20 different authenticators to verify your users' identities.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.
