Robust cybersecurity architecture begins with essentials like access control and user credential management. This is especially true for businesses in the healthcare industry, where unauthorized access via a weak or stolen password can compromise protected health information security (PHI). HITRUST password requirements simplify the measures required to keep all your stakeholders safe. Read on to learn more about what they entail.
Guide to HITRUST Password Requirements
Targeted cyberattacks can lead to guessing, hacking, cracking, or even theft of passwords. Users cannot be trusted to make their account credentials strong on their own accord. Your company needs to guarantee safety with robust minimum requirements and frequent updates, along with other password safeguards. HITRUST’s framework offers uniform standards to optimize them.
This guide breaks down everything you need to know into two primary sections:
- A full explainer of HITRUST password requirements, including all relevant controls
- Other password security best practices, including helpful resources
By the end of this blog, you’ll be well equipped to secure your passwords up to HITRUST standards and well beyond. But first, let’s take a quick look at the broader HITRUST framework.
What is HITRUST and Who Needs to Comply?
The HITRUST Alliance, formerly known as the “Health Information Trust Alliance,” endeavors to protect companies in the healthcare industry through the HITRUST Approach. This includes adopting several risk management and cybersecurity frameworks, most notably the Common Security Framework (CSF). The CSF integrates controls from various regulatory texts, such as HIPAA, HITECH, and PCI-DSS, simplifying the adoption of all of them simultaneously.
HITRUST compliance is not a legal requirement for any organization. But the inputs for the CSF are legally required for many organizations in specific contexts. Healthcare organizations need to be HIPAA compliant, and all businesses that process card payments need to be PCI-DSS compliant. HITRUST offers efficiency, as well as optimal security.
Let’s take a close look at the HITRUST password requirements, as they appear in the CSF.
HITRUST Requirements for Passwords
The core of the HITRUST CSF comprises 156 “Control References.” These spread across 49 “Objective Names,” which themselves are housed in 14 “Control Categories.” Across the HITRUST CSF, the primary requirements that deal directly with passwords are the following:
- HITRUST password length requirements and strength requirements include a minimum of eight characters for a given password or 15 characters for accounts with the most privileged access. Complexity measures include at least one number and/or special character and at least one letter in upper and lower case for privileged accounts.
- HITRUST password history requirements vary in range, depending on the level of security required for a given user. For the most highly privileged accounts, passwords must be changed every 60 days, and no combinations from the previous 12 passwords may be used. For accounts with fewer access privileges, none of the previous six passwords may be used.
- HITRUST encryption requirements intersect with user credentials concerning user account management and access to the cloud or remote servers. Storing sensitive information, including passwords, also requires encryption to protect them even if stolen.
Other requirements related to user credentials, accounts, and access include multi-factor authentication for specific accounts and the Category of “Access Control.”
Assess your HITRUST compliance
Breakdown of Access Control Requirements
There is only one Control Category related directly to password length, strength, and other qualities: “Control Category 01.0, Access Control.” Coincidentally, this is also a Category with some of the most Objectives (seven) and Control References (25). Let’s take a closer look at them:
- Objective 01.01: Business requirement for access control
- Reference 01.a: developing a strong access control policy
- Objective 01.02: Authorized access to information systems
- Reference 01.b: control registration of all user accounts
- Reference 01.c: manage access privileges of user accounts
- Reference 01.d: manage users’ passwords and accounts
- Reference 01.e: regularly review users’ rights of access
- Objective 01.03: User responsibilities
- Reference 01.f: govern users’ use of passwords and accounts
- Reference 01.g: account for user equipment left unattended
- Reference 01.h: require clean and secure workstations
- Objective 01.04: Network access control
- Reference 01.i: create policy restricting access to networks
- Reference 01.j: authenticate access via an external connection
- Reference 01.k: identify all equipment connected to networks
- Reference 01.l: monitor and protect remote and port access points
- Reference 01.m: implement segregation of and within networks
- Reference 01.n: control connections to, from, and across networks
- Reference 01.o: control routing of and to internal and external networks
- Objective 01.05: Operating system access control
- Reference 01.p: ensure secure procedures for logging into accounts
- Reference 01.q: implement authentication and identification of users
- Reference 01.r: implement a robust password management system
- Reference 01.s: monitor and control all use of system utilities
- Reference 01.t: require automatic session time-out for inactivity
- Reference 01.u: limit duration of access sessions, within reason
- Objective 01.06: Application and information access control
- Reference 01.v: restrict access to sensitive information
- Reference 01.w: logically isolate sensitive information
- Objective 01.07: Mobile computing and teleworking
- Reference 01.x: monitor and control mobile access
- Reference 01.y: implement telework security measures
While only a few of these Objectives and References deal directly with passwords specifically, access control’s overall Category offers broader protection through other measures. This is true of HITRUST’s framework, as well as in other regulatory texts (HIPAA, PCI-DSS, etc.).
Other Password Security Best Practices
Besides the baseline password requirements for HITRUST compliance, there are many other security measures your company can take to keep its user credentials safe. For example, many cybersecurity experts recommend utilizing a passphrase rather than a password. Splitting up the credential into two or more distinct strings of characters makes it more difficult to guess.
A more advanced approach involves two or multi-factor authentication, which authorizes access through a username and password or phrase, in addition to some combination of:
- Something the user owns, such as a secondary device used to confirm the identity
- Something the user knows, such as a security question only they can answer
- Something the user is, such as a biometric scan of a retina, fingerprint, etc.
All these methods help to keep passwords safe from guessing, cracking, and theft. But if passwords are compromised, robust encryption can help ensure that hackers cannot view or use the credentials. RSI Security’s identity and access management services include all of these measures, alongside powerful analytics and management.
Professional Compliance and Cybersecurity
Here at RSI Security, we know how critical compliance is for companies within the healthcare industry. We also understand the value HITRUST offers in simplifying all the controls you need for HIPAA compliance.
Our suite of HITRUST compliance services builds upon this value, helping to make HITRUST implementation and compliance a simple, straightforward process. Our experts will work with your internal IT to determine gaps, report on patches, and even help you develop them.
Contact RSI Security today for help implementing HITRUST password requirements and all other controls. We’re also happy to help integrate these and other regulatory requirements into the fabric of your company, optimizing your broader cybersecurity architecture and keeping your stakeholders safe. No matter the needs and means of your company, we have you covered.
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.