Skip to content Skip to footer

HITRUST Compliance and Passwords

The Health Information Trust Alliance, also known as HITRUST, is an organization that created the Common Security Framework (CSF). The HITRUST Alliance is a non-profit organization with a program set up to standardize compliance requirements amongst many industries. Since it is more direct than HIPAA, many healthcare organizations choose it as their option.

A few examples of compliance standards that have been included are: federal legislation (ARRA and HIPAA), federal agency rules and guidance (NIST, FTC and CMS), state legislation (Nevada, Massachusetts and Texas), and industry frameworks (PCI and COBIT). All of these separate compliance standards can now be normalized under one umbrella compliance standard known as HITRUST.

The nFront Password Filter ( helps with these password requirements located in the CSF:
• 01.d User Password Management
• 01.f Password Use
• 01.r Password Management System

Most of the objectives that mention passwords are in Control Category 01.0, Access Control.

A few key points of password related standards with HITRUST are:

  • Passwords must not be viewable when typed
  • A password must be changed if the password or system might have been compromised.
  • Verify the user before a password reset.
  • Temporary passwords must be administered securely and changed at the first log-on.
  • Maintain a dictionary blacklist with commonly used or expected words, and update it at least every 180 days. With nFront, you can use different custom dictionaries for different password policies, and we have a new updated global dictionary with full customization.
  • Allow passwords to be long and contain passphrases, including spaces.
  • Implement automated tools to help the user select a strong password.
  • Require a password change every 90 days for non-privileged accounts and 60 days for privileged accounts.
  • A minimum of 8 characters for regular user accounts and 15 characters for privileged or administrator user accounts
  • For the highest privileged accounts, no combinations from the last 12 passwords may be used. For lower privileged accounts, it is 6 passwords.

How can you proactively prevent weak passwords? We suggest encouraging passphrases rather than lengthy passwords. Allowing your employees to choose their passwords that they can memorize is more effective and lowers help desk calls. Teach your employees the importance of strong passwords and how easy it is for a hacker to crack their password. Lastly, disable dormant accounts.

We don’t want to see your organization become a headline, so reach out to see how we can help!

Leave a comment