IT KORR Knowledge Center
Password Compliance Checklist
A cross-framework checklist for confirming password practices align with HIPAA, PCI DSS, and general NIST-based expectations.
General (All Organizations)
- Written, dated password policy exists with a named owner.
- MFA enforced for all users.
- Breached-password screening enabled.
- Minimum password length of at least 12 characters.
HIPAA-Specific
- Unique user IDs enforced on all systems accessing ePHI — no shared logins.
- Password/authentication approach documented as part of the formal risk analysis.
- Automatic logoff configured on shared clinical workstations.
- Authentication events logged as part of audit controls.
PCI DSS-Specific
- Minimum 12-character length enforced on all cardholder data environment (CDE) systems.
- MFA enforced for all CDE access and all remote network access.
- Password change frequency set via a documented targeted risk analysis.
- All vendor default credentials changed before production use.
- Account lockout and password history configured per Requirement 8.
Disclaimer
This checklist is an educational starting point, not a compliance determination. Confirm current requirements with a qualified compliance advisor or Qualified Security Assessor before relying on it for an actual assessment.
Related Resources
- HIPAA Password Guidance — /knowledge-center/cybersecurity/password-security/hipaa-password-guidance
- PCI DSS Password Guidance — /knowledge-center/cybersecurity/password-security/pci-dss-password-guidance
- Compliance Readiness Assessment — /tools/compliance-readiness-assessment