A Password Manager Can Help Pave the Way to HIPAA Compliance
We’re all storing more information online than ever before. The average Internet user has at least 90 online accounts, and within three years, researchers estimate the number may triple.1 You likely have tons of usernames and passwords to keep track of. If you’re using unique, strong passwords as HIPAA and NIST guidelines recommend, it’s impossible to remember them all. We recommend using a password manager to keep your information safe.
If you’re using weak passwords or the same password for more than one site, you’re not alone. A 2017 report from Verizon indicates that insecure passwords cause 80 percent of breaches. The more passwords you have, and the more times you use the same password for multiple accounts, the higher at risk you are of compromising your company’s systems.
Some big companies like Apple, Microsoft, and Google want to replace the existing password system with fingerprint scans, facial recognition, and temporary codes.2 But until that happens, how can you be sure you’re keeping your electronic information safe?
Here’s a tip — use a password manager.
The Advantages and Limits of Using a Password Manager
A password manager can generate, retrieve, and keep track of strong, random passwords across countless Internet accounts. They store all your passwords in a single database or vault that’s accessed by a single, master password. Sequences of numbers like PINs, credit card numbers, CVV codes, and answers to security questions are no problem for a password manager. Some can even remember information about apps on your smartphone.
A password manager is a huge help. While there’s incredible value in implementing one, it’s not the end-all-be-all password security solution. Nothing can take the place of understanding basic cybersecurity and implementing the policies and procedures that your organization defines. For example, a password manager doesn’t lock the screens on your devices or force using two-factor authentication on sensitive accounts.
“Password managers are not a magic pill,” says Lujo Bauer, a security researcher and associate professor at Carnegie Mellon University. “But for most users, they’ll offer a much better combination of security and convenience than they have without them. Everyone should be using one.”3
Password Managers and HIPAA
The HIPAA law mandates that password management be part of your HIPAA compliance plan. 45 CFR §164.308(a)(5) stipulates that Covered Entities must implement “procedures for creating, changing, and safeguarding passwords.” With that said, don’t confuse password management with a password manager. Password management is simply the act of managing passwords. A password manager is a program or system that manages your passwords.
HIPAA requires that passwords are managed, but not necessarily by a password manager. Furthermore, password managers are not HIPAA compliant themselves because they do not store Protected Health Information (PHI). This means no Business Associate Agreement or Business Associate Subcontractor Agreement is needed with the provider.
However, Total HIPAA believes that a password manager, used in conjunction with two-factor authentication and smart security measures, should absolutely be part of your HIPAA compliance program.
Which Password Manager Is Best for Users Who Work with PHI?
When it comes to working with PHI, the passwords protecting sensitive information need to be secure, which means that your password manager must also be secure. It probably goes without saying, but we’ll say it anyway: choose a reputable company with a proven track record. This is not the time to try out the free, local application the high school DECA team put together.
Select a company that’s been around long enough for other businesses to have used their product. Their reviews should be plentiful enough for you to see the pluses and minuses of the application itself.
Another characteristic to look for? Security. Security should be the backbone of the application and the most important feature.
How do password managers stack up? We analyzed four different companies which offer effective, secure password managers. We recommend all of these products, and we even use one of the services listed below in our own workplace.
Dashlane has been in business since 2012. It offers a solid, easy to use product that critics and users alike recommend.
Dashlane offers its password manager at $40.00/year per user. The app’s premium feature enables users to securely sync their data between an unlimited number of devices — your home computer, laptop, mobile phone, and tablet — on all platforms. Dashlane’s strong security uses AES-256 encryption, which is the same standard used by the federal government to protect classified information.
Users can only access their account information by using a single master password that is never recorded or transmitted. Dashlane supports mobile two-factor authenticator apps and devices, including Google Authenticator and U2F YubiKeys. User passwords are stored in a password vault on their servers. However, you can change the program settings to store passwords locally, assuming you understand the risk of local storage.
Dashlane’s free plan is a great way to try out its service, but you won’t be able to sync changes after the first month. Take a look for yourself if this sounds like a good fit: www.dashlane.com
As of January 2015, Keeper had more than 9 million registered users. Keeper is available for download on Android, iOS, Windows, Mac, Windows Phone, Linux, Kindle, and Nook.
Keeper boasts that the company is fanatical about protecting your information and is a true zero-knowledge security provider. It utilizes world-class security (including AES-256 encryption) to safeguard your information from hackers and cybercriminals. Keeper supports two-factor authentication, biometric login, and Keeper DNA, which uses personal devices like your smartwatch to confirm your identity.
Try Keeper for free on a single device. If you want cross-device syncing, subscribe annually for $29.99 or consider the $59.99 per year plan, where you get five licenses, plus 10GB of secure file storage. Learn more at www.keepersecurity.com.
At $24.00 a year, LastPass Premium is a strong contender as a password manager. What’s more, some critics think the company’s free version is as good as its paid version.
The paid version offers installation on Windows (including Windows Phone), macOS, Android, Linux, and iOS devices and syncs passwords and other data between them. For $48.00 per year, twice the price of LastPass Premium, you get six licenses and a shared folders feature.
Your passwords are stored in your LastPass Vault and they’re encrypted before being transferred to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data. And you’re able to add a requirement for two-factor authentication with LastPass Authenticator or other top multi-factor services (i.e., Google Authenticator). Check it out here: www.lastpass.com.
Sticky Password Premium gets high ratings as a password manager and will only cost you about $29.99 per year.
Like its competitors, the company offers 256-bit AES encryption and your master password is only known to you — not to any Sticky Password employees. Synchronize across multiple devices and choose to do so through the company’s cloud servers, locally via WiFi, or manually.
Sticky Password boasts the best biometric support for fingerprint scanning as compared to competitors. You are able to activate two-factor authentication as well. And as an aside, a portion of the proceeds from each sale of Sticky Password Premium goes to a manatee protection fund. Read more about them here: www.stickypassword.com
One Password Manager Does Not Fit All
There are several reputable companies out there offering secure password managers. Most offer appropriate encryption and two-factor authentication, but make sure their security standards match yours before you decide on a product. Take a look at all of the features of each and take advantage of any free versions or free trial offers before you make a choice.
Also, talk to your IT professional before you install one of these programs. They may already have a preferred vendor doing the legwork for you. Above all, remember that password management is a required administrative safeguard under HIPAA. Using a password manager can help you ensure you’re doing what you can to protect your clients’ PHI and uphold the HIPAA law.