Choosing authentication types for healthcare

Over the past 24 months, the healthcare sector has been one of the leading targets of ransomware attacks and identity theft online. Some of these crimes may have resulted in breaches due to weak authentication. This has caused healthcare organizations take another look at their safeguards and consider strengthening their authentication methods.

How does HIPAA affect authentication?

Authentication is a process used to verify whether someone or something is who or what it purports to be in an electronic context. Unauthorized entities or programs are prohibited from gaining access to information.

In the healthcare sector, HIPAA entities need to ensure they have strong login passwords to access information. These would include public or private networks, internet portals, computers, email, medical devices, servers, and software applications.

The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to protected health information (PHI) is the one claimed.

Utilizing the following criteria helps to ensure authentication meets HIPAA requirements:

• Something you know (i.e., passwords, security questions)
• Something you are (i.e., fingerprint, signature, voiceprint, or retina or iris pattern)
• Something you have (i.e., mobile phone, SMS text codes)

What covered entitires and business associates should do

Every organization working with PHI should conduct an enterprise-wide risk analysis. In order to avoid HIPAA fines, it must be accurate, comprehensive, and thorough. By conducting a risk analysis that identifies vulnerabilities to the ePHI in their enterprises, they can identify the vulnerabilities of their current authentication methods and practices, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach (if it occurs) can impact their business and mission.

This process helps entities rate the level of the risk and determine (based on their risk analysis): if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the service or process associated with a particular authentication risk.

Consider implementing a more robust form of authentication. It should be reasonable and appropriate for their size, complexity, and capabilities. and their technical infrastructure, hardware, and software security capabilities.

Recommended methods of HIPAA Authentication:

• Single-factor authentication: A process that uses one of the three factors (i.e. something you know, are, or have) to attain authentication. For example, password is something you know and is the only factor that would be required to authenticate a person or program. This would be considered a single factor authentication.
• Multi-factor authentication: A method that uses two or more factors to succeed authentication. For example, a private key on a smart card that is activated by a person fingerprint is considered a multi-factor token. The smart card is something you have, and something you are (the fingerprint) is necessary to activate the token (private key).
•  

Additional HIPAA Authentication and Security Resources:

NIST Electronic Authentication Guidelines

What is Protected Health Information (PHI)?

The Complete Guide to HIPAA Compliance