HIPAA Active Directory password policy requirements

The US Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to enact procedures that ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Any organization that creates, receives, maintains, interacts with, stores, or transmits ePHI must adhere to the mandated HIPAA regulations.

Comply with HIPAA to protect ePHI

Section § 164.308(a)(5)(ii)(D) of HIPPA mandates that admins must enforce:

1. Procedures for creating, changing, and safeguarding passwords [Password management (addressable requirement)].

Passwords—the "addressable requirements"

The HIPAA Security Rule has always been a point of debate as it gives no specific details on password complexity and deems passwords as “addressable." However, this does not mean that password security is optional; many healthcare organizations use passwords as their first and sometimes only line of defense against cyberattacks.

Notably, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) looks to the National Institute of Standards and Technology (NIST) for guidance, so it's prudent that other healthcare organizations do the same.

A NIST-compliant password should:

1. Include American Standard Code for Information Interchange (ASCII) characters.
2. Be a minimum of eight and maximum of 64 characters.
3. Not be easy to guess like "Password@123" or compromised from data hoarding sites. Learn more about weak and compromised passwords here.
4. Not be identical to the previous ten passwords.

Simplify HIPAA compliance with ADSelfService Plus

ADSelfService Plus offers advanced password policy settings that help you comply with all the above requirements. You can create a custom password policy that meets HIPAA's requirements on password management, and enforce it on all or specific Active Directory (AD) users based on their domain, OU, or group membership.

1. Ban weak passwords: Blacklist leaked or weak AD passwords, patterns, and palindromes.
2. Set a custom password length: Enforce longer passwords for Windows domain users by specifying the minimum password length.
3. Enforce password history: Ensure password strength by enforcing password history rules during native password resets in the Active Directory Users and Computers (ADUC) console.
4. Ensure password complexity: Allow users to use Unicode characters in their passwords in addition to uppercase, lowercase, special, and numeric characters.

With ADSelfService Plus' Password Policy Enforcer, admins can:

1. Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of passwords.
2. Enforce passphases, a string of words used as a password, by overriding password complexity if the user password length is above a set number.
3. Enable the Password Strength Meter to give users instant visual feedback on password strength when they change or reset their AD passwords.
4. Comply with NIST, CJIS, and PCI DSS regulations.