HIPAA and your password policy – are you compliant?
HIPAA and your password.
Thanks to NIST, who in 2017 changed their recommended password policy in publication 800-63B, the change/do not change debate has been ongoing. If you aren’t familiar with the publication, here’s a short news video about it – https://www.cbsnews.com/news/bill-burr-passwords-guidance/
The problem with 90-day password change requirements is that we tend to create simple passwords and make minor changes when required. Consequently, if the previous password had been compromised, there was a strong likelihood the new password would be as well. The current NIST guidance is that passwords should only be changed when there is evidence of compromise. Our take, as you know as a reader, is password managers should be used by your organization, and complex passwords changed periodically, should be implemented and stored in them.
See our past reminders where we discuss password manager options by visiting our website or asking our team to forward you a copy.