- One of the causes of healthcare data breaches over the past few years has been to weakened healthcare authentication measures, according to the Office for Civil Rights (OCR). As healthcare continues to be a top target for cyber attacks, organizations need to ensure that they are implementing the right security measures.
In its November 2016 cyber newsletter, OCR encourages healthcare organizations to review their healthcare authentication methods and ensure that they have the appropriate safeguards in place.
Healthcare tends to “usually use login passwords or passphrases to access information on public or private networks, internet portals, computers, medical devices, servers, and software applications,” OCR explained. Authentication criteria typically is based on specific criteria, such as passwords, a fingerprint or voiceprint, or a smart card.
“The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed,” the newsletter stated.
Covered entities and business associates should conduct a comprehensive, accurate, and thorough risk analysis for their entire organization, OCR advised. This will help identify potential ePHI vulnerabilities and also identify any vulnerabilities in current authentication methods and practices.
This process helps entities rate the level of the risk and determine (based on their risk analysis): if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the service or process associated with a particular authentication risk.
Healthcare organizations need to consider authentication measures that are “reasonable and appropriate” for their own daily operations, OCR added. For example, a covered entity should consider its size, complexity, technical infrastructure, hardware, and software security capabilities.
There are also different types of healthcare authentication measures to consider. An organization could use either single-factor authentication or multi-factor authentication.
With single-factor, one of three factors can be implemented. For example, perhaps a hospital opts to use just a password to authenticate a person or program.
Multi-factor authentication on the other hand utilizes two or more factors.
“For instance, a private key on a smart card that is activated by a person fingerprint is considered a multi-factor token,” OCR explained in its newsletter. “The smart card is something you have, and something you are (the fingerprint) is necessary to activate the token (private key).”
OCR also highlighted the National Institute of Standards and Technology (NIST) Electronic Authentication Guideline as a resource for healthcare organizations.
Released in August 2013, the NIST guide “provides technical guidelines to agencies to allow an individual to remotely authenticate his or her identity to a Federal IT system.”
“After completing a risk assessment and mapping the identified risks to the required assurance level, agencies can select appropriate technology that, at a minimum, meets the technical requirements for the required level of assurance,” NIST states.
Earlier this summer, NIST also published the draft guide on digital authentication. In that draft, NIST explains different types of authentication options, requirements, and lifecycle management.
“Digital authentication is the process of establishing confidence that a given claimant is the same as a subscriber that has previously authenticated,” the report’s authors wrote. “This guideline addresses how an individual, known as a claimant, can securely authenticate to a Credential Service Provider to establish the context for a remote digital interaction.”