HIPA-11

Does your application require users to set their own password after an administrator reset or on first use of the account?

Explanation

This question is asking whether your application forces users to create their own password when their account is first created or after an administrator resets their password, rather than continuing to use a temporary or administrator-set password. This is important for security because: 1. Administrator-set or temporary passwords are often shared through potentially insecure channels (email, text messages, etc.) 2. Temporary passwords may be documented or stored in IT systems, creating security risks 3. Users should be the only ones who know their own passwords (password confidentiality) 4. Forcing password changes ensures that shared or potentially compromised credentials are quickly replaced In the context of HIPAA compliance, this is particularly important because it helps protect access to systems that may contain Protected Health Information (PHI). HIPAA requires covered entities to implement technical safeguards that control access to ePHI, and proper password management is a fundamental control. When answering this question, you should clearly state whether your application: - Forces password changes after admin resets - Forces password creation on first login - Includes any exceptions to these rules - Has any additional related password security features If your application doesn't enforce these practices, you should explain what compensating controls you have in place to mitigate the associated risks.

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, our application enforces mandatory password changes in both scenarios When an administrator creates a new user account, the system generates a one-time temporary password that expires after 24 hours Upon first login, users are immediately redirected to a password change screen and cannot access any application features until they have set their own password Similarly, when an administrator resets a user's password, the same process occurs - the user receives a temporary password and must change it upon their next login Our system also enforces password complexity requirements during these changes to ensure strong passwords are created All password change events are logged for audit purposes.

Example Response 2

Yes, our application requires users to set their own passwords after administrator resets and on first use For new accounts, users receive an email with a secure link that expires after 8 hours This link takes them to a password creation page where they must set a password meeting our complexity requirements (minimum 12 characters, combination of uppercase, lowercase, numbers, and special characters) For password resets, administrators cannot set specific passwords but can only trigger the reset process, which sends a similar secure, time-limited link to the user's registered email We maintain no knowledge of user passwords at any time, storing only salted and hashed values in our database.

Example Response 3

No, our application currently does not enforce password changes after administrator resets or on first use Administrators set initial passwords for users, and these passwords remain valid until changed by the user voluntarily While we recommend that users change their initial passwords, our system does not currently enforce this as a requirement We recognize this as a security gap and are implementing a forced password change feature in our next release, scheduled for deployment in approximately 60 days In the meantime, we mitigate this risk through strict password complexity requirements, account lockout after failed attempts, and comprehensive access logging and monitoring.

Context

Tab: Case-Specific
Category: HIPAA Compliance