The Easy Way to HIPAA Compliant Password Security

When a data breach occurs, the loss of personally identifiable information can be very costly not only as an inconvenience but can lead to identity theft with greater ramifications. In the healthcare sector such as hospitals, doctor surgeries, the consequences can be even graver considering the sensitive nature of the data.

In general, the healthcare sector does not have a great IT security reputation, according to Black Book Market Research, Physician organizations and groups have earmarked less than 1% of their IT budgets for cybersecurity and only 6% have a dedicated CISO.


HIPAA (Health Insurance Portability and Accountability Act) was introduced in 1996 to provide among other things, security and data privacy guidelines for health care professionals to help keep patient medical information safe. With the increase in data breaches especially around the health care sector, conforming to HIPAA for health care services is essential, by not adhering to the guidelines could lead to financial and criminal penalties.

HIPAA Password Requirements

The HIPAA Security Rule section details that health care services need to use appropriate administrative, physical and technical safeguards to ensure confidentiality, integrity and security of patient data, one of the first computer-related requirements is, “Procedures for creating, changing and safeguarding passwords.” The statement, however, is vague and can lead to misinterpretation, so how can you make an organisation compliant?

Complying with NIST

Organisations should refer to federal regulatory bodies such as NIST on specific password security policies. NIST (National Institute of Standards and Technology) provides up to date password guidance and frequently update their guidelines to take into account industry best practices and stay current.

The key tenants of a secure password policy as defined by NIST can be listed as:

  • Password should use a minimum of 8 characters
  • Password forms should avoid password hints
  • Users should create memorable passwords
  • Passwords should be vetted against a list of common/ weak passwords

Organisations using Active Directory can leverage its secure password policy mechanism to get the basic employed but this does have limitations. For example, there is no bad password list, there is no way to eliminate certain company-centric terms or words, and even manipulate the policy itself other than increasing/ decreasing values.

This is where a password self-service or manager product like LogonBox can help.

Upload Your Own Banned List

For starters LogonBox enables administrators to upload and define their own list of weak, bad passwords. Organisations can filter out common words or company sensitive words from being used during a password change or reset.

These can be defined in GB, US or any locale enabling words to be added that might have some differences across languages.

LogonBox itself comes configured with over 200,000 banned passwords that can be applied to any password change or reset, extending the default capabilities of Active Directory and securing an organisation right from the get-go.

Uploading NIST Defined List

Have your own bad password list? LogonBox allows importing of your own list of bad passwords and whether they should be checked for case sensitivity or not. There are a number of services that publish a long list of bad passwords, from NIST to others and these are imported into LogonBox either replacing or adding to what is there.

More Secure than Active Directory Password Policy

Active Directory password policy does have a limitation as mentioned but LogonBox allows for Active Directory password policy to be superseded, allowing an organisation to enforce a more stringent set of rules – not to mention also have passwords checked against a known bad list. Extended password policies can be assigned to users via OU or even internal roles so not every user needs to adhere to this.

Integrate a Password Server

The final option LogonBox offers organisations is the ability to call on external bad password list servers over HTTP, allowing for external parties to manage and keep up-to-date passwords on your behalf. During a password change, LogonBox can check the new password against this external service.

Have no bad password server to connect to? LogonBox will be making one available soon so you can focus on other things while we take care of your password security.


User data security is essential more than ever, healthcare organisations that still rely on passwords need to have a flexible, powerful password policy in place that not only secures but enforces good security. Adhering to HIPAA legislation is a must for any healthcare organisation, with its security guidelines LogonBox can ensure your organisation is following these and exceeding them.

Grow your business faster with the leader in secure self-service password reset. More than 1,000 customers and over 1 million users around the world leverage our solutions to reduce support load, increase security and save time dramatically.