Does HIPAA / HITECH Require Strong Passwords? No, But It’s Expected.

This is a very succinct summary of what HIPAA/HITECH require in terms of passwords and encryption from AlertBoot Endpoint Security.

Does HIPAA / HITECH Require Strong Passwords? No, But It’s Expected

If you’re working for (or with) a HIPAA covered-entity, you probably know by now that the HITECH Act, which amended parts of HIPAA, includes a patient data breach notification rule.  You may also know that the use of data encryption software like AlertBoot provides safe harbor from said rule, although encryption software is not explicitly required by HIPAA or HITECH, or even the HHS, which is charged with enforcing the rules.

In fact, anyone who tells you that HIPAA or HITECH requires encryption is speaking from a practical standpoint, not from a legal one.

What About Strong Passwords?

This “incentive” to use encryption (and not just any encryption, but strong encryption) brings up additional questions: are you required to use strong passwords?  Just like with encryption, the answer is no, there is no such requirement.  Or at least, I can’t find one anywhere; however, it stands to reason that if you’re not required to use encryption, then there probably isn’t a requirement on passwords either.

The use of strong passwords, though, is expected (and recommended.  If you’re going to do something, you should do it right).  In fact, HIPAA documents keep referring to strong encryption as a “best practice.”  In one HHS document I found, it’s noted that “the use of a strong password to protect access to the device or file would be an appropriate and expected risk management strategy.”

What is a Strong Password?

You can find many claims on-line that the following are components of a strong password:

  • Be over 8 characters long.
  • Use a combination of upper and lower case letters.
  • Include at least one numeric and/or special character (& or ? or @, etc).

It’s also recommended that a dictionary word is not included in the password itself, which I disagree on, personally: the key is not to not have a dictionary word, but to not only have a dictionary word.  For example, “19snwNNapple*93” is no less secure than “!2n1kSSaow#” just because the word “apple” happens to be in it.  This contrasts with “apple” or even “apple93” which cannot be considered a secure password.

I’d use the above three requirements to construct a password, with one exception: I’d substitute the 8-character requirement with a 12-character password requirement.

Of course, it goes without saying that this is to be used with cryptographic solutions like laptop encryption.  If you’re using a password-protection software only, it won’t matter how long or strong the password happens to be.

Related Articles and Sites:

Please let us know if you feel a security assessment is needed. You cannot protect your information assets enough.

Bar to Grab Medicare Incentives for Meaningful Use of EHR Extended

Bar to Grab Medicare Incentives for Meaningful Use of EHR Extended

Thanks to a federal deadline extension, more physicians may be able to collect Medicare electronic health record (EHR) financial incentives of up to $44,000. The deadline for meeting stage 2 standards of meaningful use of EHRs has been delayed until 2014 to encourage more physicians to participate.

Physicians, hospitals, and others have already received more than $1.2 billion in EHR incentive payments. To get an incentive payment, physicians participating in the incentive program in 2011 and 2012 need to attest that they met stage 1 standards.

If you have questions about what you need to do to meet meaningful use and earn the incentives, you may find some answers in an interactive resource guide recently developed by the Centers for Medicare and Medicaid Services.

The guide contains information on:

  • Program basics—EHR incentive program overview, requirements, and program options
  • How to participate—Eligibility and registration
  • Meaningful use—How to successfully attest to meaningful use for Medicare, including the core and menu objectives and clinical quality measures you must meet
  • Attestation—Steps to follow to attest and what happens afterwards

FBI reminds you to be wary of online fraud this holiday season


In advance of the holiday season, the FBI’s Internet Crime Complaint Center reminds shoppers to beware of cyber criminals and their aggressive and creative ways to steal money and personal information.

Scammers use many techniques to fool potential victims including fraudulent auction sales, reshipping merchandise purchased with a stolen credit card, sale of fraudulent or stolen gift cards through auction sites at discounted prices, and phishing e-mails advertising brand name merchandise for bargain prices or e-mails promoting the sale of merchandise that ends up being a counterfeit product.

Here are some tips you can use to avoid becoming a victim of cyber fraud:

  • Do not respond to unsolicited (spam) e-mail.
  • Do not click on links contained within an unsolicited e-mail.
  • Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders. Always run a virus scan on attachment before opening.
  • Avoid filling out forms contained in e-mail messages that ask for personal information.
  • Always compare the link in the e-mail to the web address link you are directed to and determine if they match.
  • Log on directly to the official Web site for the business identified in the e-mail, instead of “linking” to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
  • Contact the actual business that supposedly sent the e-mail to verify that the e-mail is genuine.
  • If you are requested to act quickly or there is an emergency, it may be a scam. Fraudsters create a sense of urgency to get you to act impulsively.


Latest Infosec Controversy Highlights the Real Issue: We are Getting Hacked.

This blog post was inspired by You Dirty, Shady RAT, a feature article at which contains a very thorough accounting of the threat and the pursuing industry controversy.

In August, a McAfee analyst detailed Operation Shady RAT, a hacking operation that targeted more than 70 organizations across at least 14 nations.

Infographic: Industries affected by Shady RAT

Researcher Dmitri Alperovitch characterizes the operation as commonplace, not unusual at all.  “This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing,” he wrote.

Eugene Kaspersky, founder and CEO of the extremely capable Kaspersky Labs, criticized the disclosure by McAfee.  He characterizes the malware behind Shady RAT as a “lame piece of homebrew code that could have been written by a beginner.”
Read More »

How to speed up a PC that has lost it’s pep.

Being the personal IT professional for about 30 family members, many friends and of course my clients, I get a lot of calls asking for advice.  “You know computers, right?”  Yes, computers I know.  The primary complaint I hear is that the machine has just lost it’s former pep. “You know, it just seems slower.”

Here a few tips to try regain that spring in your PC’s step.  Perform the following suggestions at your own risk, but if you follow the directions carefully, you should be ok.

The actions we take depend on the exact symptoms, but if the machine is usable we usually follow variations of the procedures below….  When the machine is unusable, extremely slow, we usually do the same type of stuff, but in a different order, booting into safe mode for some of them, etc.  Sometimes, we completely reinstall the operating system.

These directions are specifically for Windows XP.  Other flavors have slight differences.  You can usually figure it out or just google what you are trying to do with windows vista home or whatever you are using at the end… let me know in comments and I’ll try and help.

Read More »

Do Criminals have your ATM Card number and PIN? Skimming is big business in Dallas and Austin.

I recently read “Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground”(Google Books Preview, Library, Amazon), a well-written and exciting read about the dark and festering hacker subculture boiling beneath the surface of the world wide internet.   Author Kevin Poulsen is an ex-hacker and is very well tuned in to what is happening in the criminal wing of the public network. I think we all realize that the internet is a hotbed of criminal activity, but Kingpin shows step by step how ‘carding’ or the use of the internet for the trafficing of stolen credit card information, happens on an unimaginable scale.  For anyone who has an interest in how the criminals pull off the credit card fraud we hear about in the media, I highly recommend picking up this book.  I also recommend the blog ThreatLevel at, of which he is co-founder and a frequent contributor.

There are a multitude of ways the internet makes us personally vulnerable to criminal activity.  I have covered these issues in many posts previously, summarized at the end of this post.

The internet, however,  is not the only way the criminals can get our account details – and sometimes they use techniques that are plain old school, doing it the old fashioned way – with new technology twists. Read More »

What version of TLS are your servers using?

Is infection a reality?
A new hacking tool called BEAST cracks TLS 1.0/ SSL in under 10 minutes.

The attack is very specific and the attacker needs access to the network, however most servers are using version 1.0 of TLS required for the crack to work.

Read More »

Do you know what Phone Phishing (or Vishing) is? Beware of the Debit Card Vishing Scam!

Many of the electronic fraud schemes in use today are plays on scams that have been around for years, way before the internet and some even before phones. Updated to use today’s technology, the fraudsters use new innovations to trick their victims.

The technology may be new, but the scams still play upon the same age-old weakness in human nature: our trust. Read More »

HIPAA Auditor Involved in Own Data Breach

Data leaks out of every hole possible.  It happens electronically.  It happens physically.  It happens to firms that understand all the issues and should have better safeguards in place: HIPAA Auditor Involved in Own Data Breach.

Don’t let it happen to you!

International Cybercrime Ring Targets Android

Who’s writing all these apps anyway?  Well, criminals are writing some of them and getting them on the Android Market!  Once installed, the app described here forwards your SMS messages to a remote server via HTTP POST requests.