Does your application lock out an account after a number of failed login attempts?
Explanation
Brute-force resistance is what's being tested here, specifically whether your application locks out accounts after a defined number of failed login attempts. This is a fundamental security control that helps prevent brute force attacks, where attackers systematically try many password combinations to gain unauthorized access.
In the context of HIPAA compliance, this is particularly important because HIPAA requires safeguards to protect electronic Protected Health Information (ePHI). Account lockout mechanisms are considered a technical safeguard under the HIPAA Security Rule, specifically addressing access control requirements.
The question is being asked in a security assessment because account lockout policies are a basic but effective defense against unauthorized access attempts. Without such controls, attackers could potentially make unlimited password guesses until they succeed, especially if users have weak passwords.
To best answer this question, you should:
- Clearly state whether your application implements account lockout functionality
- Specify the threshold (number of failed attempts) that triggers a lockout
- Explain the duration of the lockout or how accounts can be unlocked
- Mention any additional security measures that complement the lockout mechanism (e.g., progressive delays, notifications)
- If applicable, note how these settings can be configured by administrators
Guidance
Refer to HIPAA regulations documentation for supplemental guidance in this section.
Example Responses
Example Response 1
Yes, our application implements account lockout functionality as part of our security controls After 5 consecutive failed login attempts, user accounts are automatically locked for a period of 30 minutes During this time, users cannot log in even with the correct password After the lockout period expires, the account is automatically unlocked Additionally, we send email notifications to users when their accounts are locked, and administrators can manually unlock accounts through the admin portal if needed These lockout parameters are configurable by system administrators to meet specific organizational security policies.
Example Response 2
Yes, our application enforces a progressive account lockout policy After 3 failed login attempts, the system implements a 30-second delay before allowing another attempt After 5 failed attempts, the account is temporarily locked for 15 minutes After 10 failed attempts, the account is locked indefinitely and requires administrator intervention to unlock All lockout events are logged and generate security alerts to our monitoring system For HIPAA-compliant deployments, these settings are pre-configured to meet regulatory requirements but can be adjusted by authorized administrators if needed.
Example Response 3
No, our current application does not implement account lockout functionality after failed login attempts Instead, we use a different approach where we implement progressive time delays between login attempts that increase exponentially with each failed attempt While this helps mitigate brute force attacks by making them time-prohibitive, we recognize this does not fully meet the HIPAA Security Rule recommendations for access controls We are currently developing an account lockout feature that will be included in our next major release, scheduled for deployment in Q3 of this year In the interim, we recommend that customers implement additional access controls at the network or infrastructure level to compensate for this limitation.
Context
- Tab
- Case-Specific
- Category
- HIPAA Compliance
Related questions
- Do your workforce members receive regular training related to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and the HITECH Act?
- Have you identified areas of risk?
- Have the relevant policies/plans been tested?
- Have you entered into a Business Associate Agreements with all subcontractors who may have access to protected health information (PHI)?
- Do you monitor or receive information regarding changes in HIPAA regulations?
- Has your organization designated HIPAA Privacy and Security officers as required by the rules?

