Password Manager Reviews for HIPAA Users
March 5, 2018
A Password Manager Can Help Pave The Way To HIPAA Compliance
We’re storing more information online than ever before. The average Internet user has at least 90 online accounts, and within 3 years, researchers estimate the number may triple!1 That’s a ton of usernames and passwords to remember, and if you’re using unique, strong passwords like you’re supposed to, it’s impossible to remember them all. If you’re using weak passwords or the same password for more than one site, you’re not alone. A 2017 report from Verizon indicates that insecure passwords are the cause of 80 percent of breaches. Passwords create such a headache, in fact, big companies like Apple, Microsoft, and Google want to replace the password system we’ve always known with fingerprint scans, facial recognition, and temporary codes.2 But until then, how can you be sure you’re keeping your electronic information safe? Here’s a clue – a password manager.
What A Password Manager Is…And Isn’t
A password manager can generate, retrieve, and keep track of super-strong, random passwords across countless Internet accounts – all in a single database, or vault, that’s accessed by a single, master password. Sequences of numbers like PINs, credit-card numbers, CVV codes, answers to security questions – no problem for a password manager – and some can even remember information about apps on your smartphone!
A password manager is a huge help, and while there’s incredible value in implementing one, it’s not the be-all-end-all password security solution. Nothing can take the place of understanding basic cybersecurity and implementing the policies and procedures that your organization has defined. For example, a password manager doesn’t lock the screens on your devices and it doesn’t force using two-factor authentication on sensitive accounts.
“Password managers are not a magic pill,” Lujo Bauer, a security researcher and associate professor at Carnegie Mellon University, says, “but for most users, they’ll offer a much better combination of security and convenience than they have without them. Everyone should be using one.”3
Password Managers and HIPAA
According to HIPAA rule, password management must be part of your HIPAA compliance plan. 45 CFR §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing, and safeguarding passwords.” With that said, don’t confuse password management with a password manager. Password management is simply the act of managing passwords. A password manager is a program or system that manages your passwords. HIPAA requires that passwords are managed, but not necessarily by a password manager. Furthermore, password managers are not HIPAA compliant themselves because they do not store Protected Health Information (PHI). This means no Business Associate Agreement or Business Associate Subcontractor Agreement is needed. However, Total HIPAA believes that a password manager, used in conjunction with two-factor authentication and smart security measures, should absolutely be part of your HIPAA compliance program.
Which Password Manager is Best for Users That Work With PHI?
When it comes to working with PHI, you bet that the passwords protecting sensitive information need to be secure, which means that your password manager must be secure. It probably goes without saying (but we’ll say it anyway) – choose a reputable company that has a proven track record. It’s not the time to try out the free, local application the high school DECA team put together. Select a company that’s been around long enough for other businesses to have used their product. Their reviews should be plentiful enough for you to see the pluses and minuses of the application itself. Another characteristic to look for? Security. Security should be the backbone of the application and the most important feature. How do password managers stack up? Below, we’ve analyzed four different companies we think offer a super product – ones that we’d suggest as a smart partner in your goal towards HIPAA compliance.
Dashlane has been in business since 2012. They offer a solid product that’s easy to use and highly regarded by users and critics. Dashlane’s password manager is offered at $40.00/year per user. The app’s premium feature enables users to securely sync their data between an unlimited number of devices – your home computer, laptop, mobile phone, and tablet – on all platforms. Their strong security uses AES-256 encryption, which is used by the federal government to protect classified information. Users can only access their account information by using a single master password that is never recorded or transmitted. Dashlane supports mobile two-factor authenticator apps and devices, including Google Authenticator and U2F YubiKeys. User passwords are stored in a password vault on their servers. However, you can change the program settings to store passwords locally, assuming you understand the risk of local storage. Their free plan is a great way to try it out, but you won’t be able to sync changes after the first month. Take a look for yourself – www.dashlane.com
As of January 2015, Keeper had more than 9 million registered users. Keeper is available for download on Android, iOS, Windows, Mac, Windows Phone, Linux, Kindle, and Nook. Keeper boasts that the company is fanatical about protecting your information and is a true zero-knowledge security provider. They utilize world-class security (including AES-256 encryption) to safeguard your information from hackers and cybercriminals Keeper supports two-factor authentication, biometric login and Keeper DNA which uses personal devices like your smartwatch to confirm your identity. Try Keeper for free on a single device. If you want cross-device syncing, subscribe annually for $29.99 or consider their $59.99 per year plan, where you get five licenses, plus 10GB of secure file storage. Learn more at www.keepersecurity.com.
At $24.00 a month, LastPass Premium is a strong contender as a password manager. What’s more? Some critics think their free version is as good as their paid version. The paid version offers installation on Windows (including Windows Phone), macOS, Android, Linux, and iOS devices and syncs passwords and other data between them. For $48.00 per year, twice the price of LastPass Premium, you get six licenses and a shared folders feature. Your passwords are stored in your LastPass Vault and they’re encrypted before being transferred to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data. And you’re able to add a requirement for a two-factor authentication with LastPass Authenticator or other top multi-factor services (i.e Google Authenticator). Check it out: www.lastpass.com
Sticky Password Premium gets high ratings as a password manager and will cost you about $29.99 per year. Like its competitors, the company offers 256-bit AES encryption and your master password is only known to you – not to any Sticky Password employees. Synchronize across multiple devices and choose to do so through their cloud servers, locally using WiFi, or manually. Sticky Password boasts the best biometric support for fingerprint scanning as compared to competitors. You are able to activate two-factor authentication, as well. And as an aside, a portion of the proceeds from each sale of Sticky Password Premium goes to a manatee protection fund. Read more about them here: www.stickypassword.com
One Password Manager Does Not Fit All
There are several reputable companies out there offering password managers. Most all offer appropriate encryption and two-factor authentication, but be sure before you decide on a product. Take a look at all of the features of each and take advantage of any free versions or free trial offers before you make a choice. Also, talk to your IT professional before you install one of these programs. They may already have a preferred vendor, doing the legwork for you. Above all, remember that HIPAA views password management as a required administrative safeguard. Using a password manager can help you ensure you’re doing what you can to protect your clients’ PHI and uphold the HIPAA law.