- Strong technical safeguards are essential for covered entities, regardless of their size, and the right healthcare authentication factors are a critical aspect of those safeguards. Locking down end users, and maintaining technical safeguards can help healthcare organizations ensure the security of sensitive information, including patient PHI.
It is a delicate balance between creating end user convenience and implementing necessary health data privacy and security, but it is a balance that CEs must be able to find. Otherwise, they could find themselves dealing with the aftermath of a healthcare data breach.
We’ll break down healthcare authentication options, and how they can benefit CEs. Moreover, we’ll discuss how authentication fits into the larger HIPAA regulation of having strong technical safeguards in place, and why facilities need this safeguard to work in conjunction with its administrative and physical safeguards as well.
What are HIPAA technical safeguards?
HIPAA technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it,” according to the HIPAA Security Rule. CEs can use security measures that are reasonable for its size and daily operations. For example, a smaller practice might not need to implement the same technical safeguards as a large hospital.
“The Security Rule does not require specific technology solutions,” according to the HIPAA Security Series from HHS. “There are many technical security tools, products, and solutions that a covered entity may select. Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics.”
It is also important to understand the four main aspects of technical safeguards, according to HHS:
- Access Control
- Audit Controls
- Integrity Controls
- Transmission Security
Access control relates to healthcare authentication needs in that it requires CEs “to implement technical policies and procedures that allow only authorized persons to access” ePHI. For audit controls, HHS states that hardware, software, and/or procedural mechanisms must be implemented to record and examine access and other activity in information systems that contain or use ePHI.
The integrity controls refer to policies and procedures being put in place that ensure ePHI is not altered or destroyed, while transmission security ensures that CEs implement technical security measures that protect against unauthorized ePHI access transmitted over electronic networks.
Healthcare authentication, access controls
When implementing technical safeguards, CEs need to ensure that necessary access controls must be put into place to ensure that only authorized individuals can access, use, and transport sensitive data.
“Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files,” according to the HIPAA Security Series from HHS. “Access controls should enable authorized users to access the minimum necessary information needed to perform job functions.”
There are four implementation specifications outlined by HHS:
- Unique User Identification
- Emergency Access Procedure
- Automatic Logoff
- Encryption and Decryption
The first two specifications are required, while an automatic logoff and encryption options are considered addressable. HealthITSecurity.com further explains the importance of required v. addressable here.
In terms of healthcare authentication, CEs must ensure that a person is actually who he or she claims to be before they are given access to ePHI. Essentially, individuals need to be able to prove their identity in order to gain access to sensitive information.
According to HHS, there are a few basic ways to authenticate users’ identities. First, there are passwords or PINs. Smart cards, a token, or a key, could also be used. Lastly, biometrics could be implemented as a unique authentication option. For example, this can include fingerprints, voice scanners, or facial recognition.
“Many small provider offices rely on a password or PIN to authenticate the user. If the authentication credentials entered into an information system match those stored in that system, the user is authenticated. Once properly authenticated, the user is granted the authorized access privileges to perform functions and access EPHI. Although the password is the most common way to obtain authentication to an information system and the easiest to establish, covered entities may want to explore other authentication methods.
Using healthcare authentication measures with other safeguards
Healthcare authentication measures by themselves are not enough to prevent a facility from being infiltrated by cyber criminals or from ever experiencing a data breach. HIPAA technical safeguards need to be implemented along with the right administrative and physical safeguards. Not only is this a federal requirement, it will create a comprehensive approach to privacy and security.
For example, employees might have strong passwords or PINs, but if they are not trained on the proper disposal of paper documents, medical records could still be exposed. An employee could simply toss old records in the trash, which might lead to that medical information falling into the wrong hands. It is not the same as a hacker accessing millions of records, but it could still lead to federal fines for the healthcare facility in question and possibly lead to identify fraud problems for patients whose information was exposed.
No healthcare facility can guarantee that a data breach will never happen. However, by implementing healthcare authentication measures, along with other technical, administrative, and physical safeguards, CEs are showing patients that they are doing everything within their power to keep sensitive data secure.