Authentication and HIPAA
It is clear from experience that weak or nonexistent authentication allows malicious actors entry into your network system. As a result of this, a compromise of sensitive information is very likely resulting in significant losses. Based on recent studies, 86% of attacks on networks use stolen or compromised credentials.
Poor authentication has led to recent high-profile attacks and breaches. In these cases, there was use of weak passwords from old user profiles and an absence of multi-factor authentication.
From experience we know that good authentication ensures secure access to an organization’s network. By using strong authentication processes, we can impede or prevent many cyber-attacks.
What is Authentication?
It is the corroboration that the person is the one claimed to be.
The classic model of authentication involves the presentation of credentials which typically includes an identifier (e.g., username) and one or more authentication factors.
Historically, three factors form the cornerstones of authentication:
- Something you know (password, personal identification number (PIN))
- Something you have (smart ID card, security token)
- Something you are (fingerprint, facial recognition, other biometric data)
Single factor authentication. Only one of these factors is used, which is usually a password.
Multi-factor authentication. Two or more distinct factors are required. One is usually a password, and the others are something you have, or you are.
It is important to note that the use of multiple instances of the same factor is not multi-factor authentication. For example, the use of a password and a pin are not effective together as they are something that you know. You would have to add something you have or something you are, consistent with the cornerstones of authentication.
Multi-factor authentication is effective even if a password or PIN is compromised. The requirement of the additional factor reduces the likelihood of compromise.
The National Institute of Standards and Technology (NIST) has recently suggested more frequent use of multi-factor authentication by small businesses, stating that “it is necessary to add more layers of authentication beyond a password to ensure that accounts remain secured.”
The U.S. Department of Health & Human Services recognized the importance of multi-factor authentication. It is now encouraging its use for remote access to systems and to email as a best practice.
Authentication and HIPAA
Technical safeguards
Person or entity authentication is a standard requiring a covered entity to verify that a person or entity seeking access to electronic protected health information is the one claimed.
“To be flexible, scalable, and technology neutral, the authentication standard does not prescribe the implementation of specific authentication solutions. Instead, a regulated entity’s risk analysis should inform its selection and implementation of authentication solutions that sufficiently reduce the risks to the confidentiality, integrity, and availability of ePHI.”
Non-compliance with the Security Rule’s authentication standard continues to leave regulated entities vulnerable to successful cyber-attacks and breaches of electronic protected health information (ePHI).
The Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations consider implementing multi-factor authentication solutions on their “Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs).”
Further, a regulated entity’s HIPAA obligations regarding authentication do not end with its implementation of authentication procedures. There is an ongoing obligation to review and modify the security measures implemented under the Security Rule. The person or entity authentication standard must be reviewed to ensure implemented security measures continue to provide reasonable and appropriate protection of ePHI.
Conclusion
Covered entities and business associates are required to implement authentication solutions to ensure the confidentiality, integrity, and availability of their ePHI. An entity’s risk analysis should guide its implementation of authentication solutions to ensure that ePHI is appropriately protected. It is in the best interest of covered entity and business associate to consider implementing multi-factor authentication solutions. This will improve the security of ePHI and protect information systems from cyber-attacks. Visit HIPAA Associates for help with these topics.
Resources:
- NIST Special Publication 800-63: Digital Identity Guidelines: https://www.nist.gov/special-publication-800-63
- CISA: More than a Password: https://www.cisa.gov/MFA
- HHS Health Sector Cybersecurity Coordination Center (HC3): Utilizing Two Factor Authorization https://www.hhs.gov/sites/default/files/two-factor-authorization.pdf – PDF
- HHS 405(d) Task Group: Health Industry Cybersecurity Practices (HICP) Resources: https://405d.hhs.gov/resources
Author:
Al Lopez is the Vice President of Operations for HIPAA Associates for the last eleven years. Dr. Lopez has passed board certification in internal medicine, pulmonary, and anesthesia and holds a degree as a medical coding specialist. He has served as a Compliance Director and Privacy Officer for over ten years. In addition, Dr. Lopez is certified in Healthcare Compliance and has held various leadership roles within the hospital staff and private practice. His main interest is in HIPAA training.