We are asked this question frequently, and especially from our healthcare customers whose doctors and staff are frustrated by the password policies typically set to change them every 90 days. So, why do you have to change your passwords?

Some simple and practical answers:

You don't have to if you don't want to - it's your business, choose the risk level you will accept!

If you are willing to accept the risks, then you can do whatever you want. We tell people this many times when we uncover weak password policies;

"You can choose to ignore it, do nothing and simply accept the risks and consequences should something happen; you can choose to accept the risks and purchase enough insurance to cover yourself should something happen or you can choose to remediate the risks and implement a reasonable password management plan based on industry and regulatory best practices and guidelines."

So, you do not have to actually implement a plan, but you do need to understand the risks and choose how you will handle that from a business perspective. We, as a conscious and reputable organization, could never in good faith recommend you go without a plan but our job is not to force customers in to submission, but instead make them aware of the risks and then help them make the decision that is best for them and their business.

I will say it is virtually without comprehension that anyone would knowingly accept a password policy whereby passwords never change. While it may be frustrating, and sometimes even seem silly (people write things down or storing them electronically) there is a method to the madness. It requires understanding that the password policies are a component to a larger security plan and posture to protect the organizations systems and data. No one piece on its own is the solution, they all function together to mitigate the threats and keep the organization safer than it would be if any one, or all, of the components were not implemented.

Something to note, hackers frequently do not utilize the passwords for months. This is because the persons who steal them are many times (and most of the time) not the ones who utilize them for cyber hacking. The information is typically sold on the black market as a part of a large underground cyber-criminal network. Therefore, the chances of the passwords not working because an organization had a password policy will be greatly minimized versus those who do not have any password policy. This points, again, to the overall security plan and posture where password management is a piece of the overall puzzle, not the silver bullet that ensures bad guys won't get in!

Additionally, because historically the majority of breaches were occurring due to internal employees or former employees, a password policy helps to mitigate against those employees who leave the organization and know that there is no policy to change passwords and therefore are able to compromise themselves, or sell the information on the black market.

Regulatory Requirements:

From a healthcare provider or business associate there are regulatory requirements to consider as well. There are several good articles, which I have linked below, regarding the regulatory requirements regarding password management.

One of the biggest issues we see, and hear from our sources, is if (and eventually when) you are audited by OCR and you do not have a password management in place you will be cited. On the first pass it's plausible that OCR may only require that you remediate, but if this becomes a consistent issue - especially since it is so easy to remediate and a well-known best practice - you will be fined. This is an "Addressable" item under the HITECH act specific to IT Security.

Secondarily, if you ever had a reportable breach of any kind AND you were found to knowingly ignore an addressable item such as password management the fines would be significantly increased.

It is our opinion, from all of our research and experience with IT security professionals, legal counsel and customers, that accepting the risks posed by not implementing a password management plan is not a feasible option for anyone under the regulatory requirements of the HITECH act. We believe that there is enough precedent and evidence that doing so on an item such as password management would be reckless and deemed to be one of those areas where HHS OCR sees "patterns of noncompliance that appear to be pervasive" and "where compliance failures present ongoing threats to PHI, and where there are patterns of noncompliance that appear to be pervasive in the industry" as outlined in these quotes from our recent blog post regarding HIPAA fines being at record levels:

The OCR said in one of the articles that it is focused on “ongoing threats to PHI, and where there are patterns of noncompliance that appear to be pervasive.” It also said to expect more enforcement actions through the end of the year.

In a statement provided to Information Security Media Group, an OCR spokesman says: “Since the enactment of the HITECH Act and the requirement for entities to report breaches to HHS, OCR has focused a greater number of enforcement resources on systemic compliance failures – for example, where compliance failures present ongoing threats to PHI, and where there are patterns of noncompliance that appear to be pervasive in the industry. OCR expects there to be more resolutions through the end of the fiscal and calendar year, given this continued focus.”

For more information, we strongly suggest you read these articles:

http://managemypractice.com/are-your-passwords-secure-are-your-passwords-hipaa-compliant/

http://www.hitechanswers.net/wsj-article-addresses-password-usage/

http://blog.h1tech.com/blog/bid/337192/HIPAA-Security-blog-series-Password-Security

http://www.skysailsoft.com/blog/2013/11/14/how-often-should-i-be-changing-my-passwords-for-hipaa-compliance

https://www.healthcarecompliancepros.com/blog/is-it-time-to-change-your-password-2/