In this post we explore some of the leading solutions to find the best password manager for the healthcare industry – One that is easy to use, reasonably priced and, most importantly considering the extent to which the industry is targeted by hackers, has excellent security.
HIPAA and Password Management
The HIPAA Security Rule was signed into law at a time when the requirements for password complexity were far lower, fewer passwords had to be created and remembered, and cracking passwords was a long and slow process. In the 18 years since the HIPAA Security Rule took effect, a lot has changed.
The changes to best practices over time is the reason why the HIPAA Security rule is not technology specific. The Security Rule was written to be flexible to allow for changes to best practices. What was perfectly acceptable in 2003 for passwords, is no where near enough in 2021.
The HIPAA Security Rule has provisions covering passwords. The technical safeguards of the HIPAA Security Rule (45 CFR § 164.312), require covered entities to implement technical procedures for systems that maintain ePHI “to grant access to only those people who have been granted access rights”. The administrative safeguards. (45 CFR § 164.3089(a)(5)(D)) call for password management – “Procedures for creating, changing, and safeguarding passwords.” The administrative safeguards require passwords to be used unless an alternative to passwords is in place that provides an equivalent level of protection – biometric authentication for example. For most covered entities, passwords will need to be created, safeguarded, and procedures implemented for changing passwords.
HIPAA-covered entities should follow the latest recommendations from the National Institute of Standards and Technology (NIST) when creating their password policies to ensure passwords are sufficiently complex to make them resilient to the brute force tactics of hackers.
A password manager is certainly not a requirement for HIPAA compliance, as there are other ways of creating and managing passwords, but it can help with HIPAA compliance. Further, password managers can help covered entities improve password security and compliance with password policies.
Benefits of Password Managers?
Passwords now need to be long and complex and contain a combination of upper- and lower-case characters, numbers, and special characters but that makes passwords difficult to remember. It can be hard to remember one long, complex password, let alone the many unique complex passwords for each different account.
An average Internet user has around 90 different online accounts, so it is not possible to create that many strong, unique passwords and remember them without taking shortcuts such as reusing passwords on multiple accounts or saving passwords in browsers, both of which are bad for security.
Password managers solve this problem. The solutions can be used to generate complex, unique passwords that meet organizations’ password policies, they store those passwords securely in a password vault, and can even autofill passwords when required to improve workflows. This latter point offers more than just time saving, since the passwords will not be autofilled or suggested on any lookalike domains used for phishing.
With a password manager, there is no need to remember complex passwords for multiple sites. It is only necessary to create and remember one complex password – a long passphrase ideally – that will provide access to the password vault.
Are Password Managers HIPAA Compliant?
There is some debate about whether password managers need to be HIPAA compliant as they are not used to store Protected Health Information (PHI). As such, HIPAA compliance would not be an issue and HIPAA-covered entities would not need to enter into a business associate agreement with a password manager provider.
It should be noted that password managers can be used to store more than just passwords, with some solutions allowing document storage. Password managers could therefore potentially be used to store documents containing ePHI.
Most password managers work under a zero-knowledge model, where the solution provider does not have access to the passwords or documents in users’ vaults. Therefore, if any ePHI was uploaded, it could not be accessed by the solution provider. That does not mean that the solution does not need to be HIPAA compliant.
The HHS made it clear in guidance on HIPAA and Cloud Computing that if a cloud service provider is only sent encrypted ePHI and does not have a decryption key, it is still classed as a business associate if it receives ePHI. “Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules,” wrote the HHS in its guidance.
The best password manager for the healthcare industry will therefore be one that meets the HIPAA Security Rule standards and is prepared to sign a business associate agreement.
Healthcare Password Manager Options
There are many password managers on the market, many of which offer a free version of their product with limited features. The free versions are mostly aimed at consumers, although some solutions do have a limited free business or organization tier. Unless you are a small business, you will likely need the features of a paid version of a password manager.
There are two main choices: Solutions that store password vaults in the cloud on the service provider’s servers, and those that store passwords on-premises or within customers’ private clouds. There are advantages and disadvantages to both options. Some solutions give you both options.
It is not possible to cover all password managers, so we have listed below 3 of the best password managers for the healthcare industry that have great functionality, are easy-to-use, and offer excellent security.
Bitwarden
Bitwarden is one of the most secure password managers on the market, and one of the strongest contenders for best password manager for the healthcare industry. The solution is open source, so its code is available for anyone to audit and review which is rare in a password manager but great for security. Bitwarden and also has undergone a third-party security audit and cryptographic analysis.
Bitwarden is a zero-knowledge solution, which means Bitwarden cannot access passwords in users’ vaults. The solution offers end-to-end AES-256 encryption and salted hashing for stored passwords. The one-way salted hashing means that if the solution were to be breached, passwords could not be accessed by hackers. Bitwarden also offers 2-factor authentication for additional security.
Bitwarden received a HIPAA Security Rule Assessment Report from AuditOne in December 2020 and was rated compliant with Security Rule standards and the company is open to entering into a BAA with HIPAA-covered entities. The solution has also been assessed and rated compliant with GDPR, CCPA, SOC 2, SOC 3, and Privacy Shield.
The solution works across all devices, operating systems, and the most popular browsers as well as less common browsers such as Opera, Brave, and Vivaldi. Bitwarden also supports the Windows Hello and Touch ID biometric systems and has the option of self-hosting on-premises and for users that run their own cloud.
The solution identifies exposed, reused, weak passwords and also checks breached password databases for compromised passwords. Bitwarden allows organizations to easily set minimum complexity requirements for auto-generated passwords, the solution is highly customizable, easy-to-use, has good password sharing options, and the business packages are very competitively priced. There is a free option for businesses with just 2 employees, with other business packages priced at $3 and $5 per user, per month.
Dashlane
Dashlane is a popular password manager for businesses of all sizes and is one of the most secure password managers. Dashlane operates under the zero-knowledge protocol so does not have access to users’ password vaults. The solution offers end-to end 256-bit AES encryption and includes 2-factor authentication. It is also possible to configure the solution to store encrypted passwords locally.
In contrast to other password managers, Dashlane includes a VPN based on the Hotspot Shield service with provides protection on public Wi-Fi networks. This is a basic solution that does not offer a choice of tunneling protocol and there is no kill switch, so should the VPN fail, users IP addresses would be exposed. That said, it’s a useful extra.
Dashlane syncs across all devices, including Windows, Mac, iOS, and Android, works with all major browsers, has SSO options, and has secure sharing options. The solution also allows remote account deletion and includes excellent dark web monitoring capabilities to identify compromised passwords. The solution also has a useful password changer option to allow users to update old and unsafe passwords at once.
Dashlane has great features and security, but it is not one of the cheapest options. All business users must pay, with the packages priced at $5 and $8 per user, per month.
Keeper
Keeper offers a business password manager that included advanced integration and customization options. Keeper operates under the zero-knowledge protocol and has a zero-trust framework. Data is encrypted at the customer-device level using layered, record-level 256-bit AES encryption with PBKDF2 technology and supports 2-factor authentication and biometric logins. There is also Keeper DNA, which uses personal devices such as smartwatches to confirm identities and there is a useful custom logout timer.
The solution works on Android, iOS, Windows, Mac, Windows Phone, Linux, Kindle, and Nook and supports all major browsers. Admins can view reports of employee password security as well as a range of audits to help with enforcing policies and meeting compliance standards.
Keeper has undergone an independent audit and is SOC, HIPAA, DPA, FINRA, GDPR compliant. The solution has SSO options, supports AD integration, and offers advanced 2FA, although these are only available with the enterprise package. Dark web monitoring (BreachWatch) is also available, albeit as an add-on option
Business packages are available for $3.75 per user, per month, with custom quotes given to enterprises.
What is the Best Password Manager for the Healthcare Industry?
There are many great password managers on the market, all of which have positives and negatives. There is no single solution that will be ideal for all healthcare organizations, but if we had to pick one solution as the best password manager for the healthcare industry, our choice would be Bitwarden.
That decision is based on open source code transparency, excellent security, and third-party audits for security and HIPAA compliance and for the ease of implementation, use, and being competitively priced.
That said, take time to look at the available options and review the features, as you may find a more appropriate solution that better meets your business needs.
The post Best Password Manager for the Healthcare Industry appeared first on HIPAA Journal.