What exactly is HIPAA-compliant software? We have a software product that we are upgrading for a number of clients...
that claims HIPAA compliance, but there is no way to force 30-day password changes in the application. We have a password policy set on the server, but it must be manually changed in the application. In addition, all users' passwords can be seen by whoever sets the new passwords as there is no utility for users to change their own.
There really is no such thing as "HIPAA-compliant" software. See my column on this very subject.
HIPAA compliance is a process which is made of various policies, procedures and technologies. The fact that 30-day password changes cannot be forced doesn't mean that a product is non-compliant or even vulnerable. I'm of the belief that the more often passwords are changed, the greater the likelihood they will become compromised due to people writing them down in insecure places. The fact that the admin who sets new passwords can see everyone else's password could be a vulnerability, but it's not a deal breaker. There are a lot of organizations that do this. I'm not fond of it, but sometimes it's the only solution. Just keep in mind that there will be risks related to HIPAA compliance. The rules only ask that you document the risks, create a policy stating how that system is handled (and how risks are minimized), implement countermeasures when possible and train your users on safe computing practices. If there is no other way around it (which there probably is somewhere somehow -- it's just inconvenient), that's really all you can do.
For more info on this topic, visit these SearchSecurity.com resources:
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.