Editor’s note: HHS requires physician practices to provide periodic cyber security awareness and training to all employees. (1) Please consider sharing this post with your staff to meet this requirement.
Under the ever-present threat of an attack by cyber criminals, health care entities are taking a closer look at ways to strengthen and safeguard their authentication methods.
Authentication is the process used to verify that someone or something is who or what they claim to be. It involves keeping unauthorized people or programs from gaining access to information by using login passwords or passphrases to access information on public or private networks, medical devices, servers, and software applications.
Please review the following information on authentication requirements and take a few minutes to reflect on the type of authentication you use. Could it be improved? And be sure to remind staff about the importance of authentication including, not sharing logins and passwords.
The Person or Entity Authentication standard of the HIPAA Security Rule requires authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed. Therefore, covered entities should do the following.
1. Conduct an enterprise-wide risk analysis that identifies vulnerabilities to current authentication methods, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach can affect the business.
This process helps entities determine if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the process associated with a particular authentication risk.
2. Consider — based on the potential risks and vulnerabilities to ePHI — implementing a form of authentication that is reasonable and appropriate for the size, complexity, capability, technical infrastructure, hardware, and software security capabilities of your practice.
3. Consider recommended methods of authentication, depending on the results of their risk analyses, including:
Single-factor authentication – uses one of the three factors (i.e. something you know, are, or have) to attain authentication. For example, a password is something you know and is the only factor that would be required to authenticate a person or program. This would be considered a single-factor authentication.
Multi-factor authentication – uses two or more factors to achieve authentication. For instance, a private key on a smart card that is activated by a person’s fingerprint is considered a multi-factor token. The smart card is something you have, and something you are (the fingerprint) is necessary to activate the token (private key). (2)
- Cornell University Law School Legal Information Institute. 45 CFR 164.308 Administrative Safeguards. Available at https://www.law.cornell.edu/cfr/text/45/164.308
- U.S. Department of Health and Human Services Office for Civil Rights. What type of authentication is right for you? Cyber Awareness Newsletter. October 2016. Available at http://www.hhs.gov/sites/default/files/november-2016-cyber-newsletter.pdf
- National Institute of Standards and Technology. Electronic Authentication Guideline. NIST 800-63.2. Available at http://csrc.nist.gov/publications/PubsSPs.html
- U.S. Department of Health and Human Services Office for Civil Rights. Security Rule Guidance Material. Available at http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
About the Author
Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Representative. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at firstname.lastname@example.org.More Content by Cathy Bryant