Authentication — A vulnerability in your practice?

November 28, 2016 Cathy Bryant

Editor’s note: HHS requires physician practices to provide periodic cyber security awareness and training to all employees. (1) Please consider sharing this post with your staff to meet this requirement.

Under the ever-present threat of an attack by cyber criminals, health care entities are taking a closer look at ways to strengthen and safeguard their authentication methods.

Authentication is the process used to verify that someone or something is who or what they claim to be. It involves keeping unauthorized people or programs from gaining access to information by using login passwords or passphrases to access information on public or private networks, medical devices, servers, and software applications.

Please review the following information on authentication requirements and take a few minutes to reflect on the type of authentication you use. Could it be improved? And be sure to remind staff about the importance of authentication including, not sharing logins and passwords.

Authentication requirements
The Person or Entity Authentication standard of the HIPAA Security Rule requires authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed. Therefore, covered entities should do the following.

1. Conduct an enterprise-wide risk analysis that identifies vulnerabilities to current authentication methods, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach can affect the business.

This process helps entities determine if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the process associated with a particular authentication risk.

2. Consider — based on the potential risks and vulnerabilities to ePHI — implementing a form of authentication that is reasonable and appropriate for the size, complexity, capability, technical infrastructure, hardware, and software security capabilities of your practice.

3. Consider recommended methods of authentication, depending on the results of their risk analyses, including:

Single-factor authentication – uses one of the three factors (i.e. something you know, are, or have) to attain authentication. For example, a password is something you know and is the only factor that would be required to authenticate a person or program. This would be considered a single-factor authentication.

Multi-factor authentication – uses two or more factors to achieve authentication. For instance, a private key on a smart card that is activated by a person’s fingerprint is considered a multi-factor token. The smart card is something you have, and something you are (the fingerprint) is necessary to activate the token (private key). (2)

TMLT’s Product Development and Consulting Service team can help you and your staff with your cyber risk management plan, read more or ask a specific question.


  1. Cornell University Law School Legal Information Institute. 45 CFR 164.308 Administrative Safeguards. Available at
  2. U.S. Department of Health and Human Services Office for Civil Rights. What type of authentication is right for you? Cyber Awareness Newsletter. October 2016. Available at


Other resources

About the Author

Cathy Bryant

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at

Visit Website More Content by Cathy Bryant
Previous Article
FDA Approves Important Labeling Changes for Essure Birth Control Device

In continuing effort to advise patients and physicians regarding permanent birth control options, the FDA r...

Next Article
National Prescription Drug Take-Back Day

The National Prescription Drug Take-Back Day is an initiative created by the Drug Enforcement Agency (DEA) ...