Q

HIPAA-compliant software?

What exactly is HIPAA-compliant software? We have a software product that we are upgrading for a number of clients

that claims HIPAA compliance, but there is no way to force 30-day password changes in the application. We have a password policy set on the server, but it must be manually changed in the application. In addition, all users' passwords can be seen by whoever sets the new passwords as there is no utility for users to change their own.


There really is no such thing as "HIPAA-compliant" software. See my column on this very subject.

HIPAA compliance is a process which is made of various policies, procedures and technologies. The fact that 30-day password changes cannot be forced doesn't mean that a product is non-compliant or even vulnerable. I'm of the belief that the more often passwords are changed, the greater the likelihood they will become compromised due to people writing them down in insecure places. The fact that the admin who sets new passwords can see everyone else's password could be a vulnerability, but it's not a deal breaker. There are a lot of organizations that do this. I'm not fond of it, but sometimes it's the only solution. Just keep in mind that there will be risks related to HIPAA compliance. The rules only ask that you document the risks, create a policy stating how that system is handled (and how risks are minimized), implement countermeasures when possible and train your users on safe computing practices. If there is no other way around it (which there probably is somewhere somehow -- it's just inconvenient), that's really all you can do.


For more info on this topic, visit these SearchSecurity.com resources:
  • Archived Featured Topic: HIPAA: After the privacy deadline
  • Best Web Links: Health care/health services
  • Ask the Expert: HIPAA regulations concerning archived e-mail

  • This was first published in August 2003

    Dig deeper on HIPAA

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close