In recent years many authors have explored the use of biological signals for security issues. In the context of cardiac signals, the use of Inter-Pulse Interval (IPI) values as a source of entropy is one of the most widely used solutions in the literature. To date, there is a broad consensus that the four least significant bits of each IPI are highly entropic and can be used, for instance, in the generation of a cryptographic key. In this article, we demonstrate that the choice of the IPI bits used to date may not be the most correct (e.g., the combination of bits 2638 are much better that the common assumed 5678). To come to our conclusions, we have done a rigorous and in-depth study, analyzing cardiac signals from more than 160,000 files from 19 databases of the Physionet public repository and basing our analysis on the NIST 800-90B recommendation.