Over the past 24 months, the healthcare sector has been one of the leading targets of ransomware attacks and identity theft online. Some of these crimes may have resulted in breaches due to weak authentication. This has caused healthcare organizations take another look at their safeguards and consider strengthening their authentication methods.
Authentication is a process used to verify whether someone or something is who or what it purports to be in an electronic context. Unauthorized entities or programs are prohibited from gaining access to information. In the healthcare sector, HIPAA entities need to ensure they have strong login passwords to access information. These would include public or private networks, internet portals, computers, email, medical devices, servers, and software applications. The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to protected health information (PHI) is the one claimed.
Utilizing the following criteria helps to ensure authentication meets HIPAA requirements:
Every organization working with PHI should conduct an enterprise-wide risk analysis. In order to avoid HIPAA fines, it must be accurate, comprehensive, and thorough. By conducting a risk analysis that identifies vulnerabilities to the ePHI in their enterprises, they can identify the vulnerabilities of their current authentication methods and practices, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach (if it occurs) can impact their business and mission. This process helps entities rate the level of the risk and determine (based on their risk analysis): if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the service or process associated with a particular authentication risk.
Consider implementing a more robust form of authentication. It should be reasonable and appropriate for their size, complexity, and capabilities. and their technical infrastructure, hardware, and software security capabilities.
Additional HIPAA Authentication and Security Resources: NIST Electronic Authentication Guidelines What is Protected Health Information (PHI)? The Complete Guide to HIPAA Compliance