OCR Reinforces Importance of Multi-Factor Authentication in Healthcare

July 05, 2023 - Strong authentication practices can help healthcare organizations mitigate breach risk and maintain compliance, the HHS Office for Civil Rights (OCR) reminded covered entities in its June 2023 newsletter.

According to OCR, poor authentication practices have been linked as contributing factors in multiple recent high-profile data breaches, including cyberattacks on a major US meat supplier and a fuel pipeline. Both attacks began with a threat actor compromising old user profiles with weak passwords.

“Authentication is ‘the corroboration that a person is the one claimed,’” OCR noted. “This corroboration of one’s identity is the prerequisite to allow access to resources (e.g., computer systems, data) to only those authorized for such access. The classic model of authentication involves the presentation of credentials which typically includes an identifier (e.g., username) and one or more authentication factors.”

The cornerstones of authentication revolve around three factors: something you know, something you have, and something you are. While single-factor authentication requires the user to identify only one of those factors, multi-factor authentication (MFA) necessitates that users produce two or more factors.

“Multi-factor authentication makes it more difficult for an attacker to gain unauthorized access to information systems, even if an initial factor such as a password or PIN is compromised, because the requirement of one or more additional distinct factors reduces the likelihood that an attacker will be successful,” OCR continued.

However, OCR noted that not all MFA solutions are equal. The Cybersecurity and Infrastructure Security Agency (CISA) specifically recommends implementing phishing-resistant MFA to add an extra layer of defense.

In addition to improving security, authentication is a crucial component of HIPAA compliance. OCR recently settled a HIPAA investigation involving Banner Health, having discovered that the organization had failed to implement an authentication process to safeguard protected health information (PHI).

OCR also alleged that Banner Health failed to analyze and determine the risks to PHI across the organization and failed to implement appropriate security measures to protect PHI as it was transmitted electronically.

Banner Health admitted no wrongdoing but agreed to pay $1.25 million to OCR. The health system also agreed to conduct a thorough risk analysis to determine vulnerabilities and develop an internal risk management plan to maintain the integrity and availability of PHI.

This case exemplified OCR’s commitment to enforcing HIPAA Security Rule violations. While HIPAA does not prescribe specific authentication standards, it does require covered entities to conduct a risk analysis and select solutions that sufficiently reduce risk. Failure to do so many result data breaches and OCR investigations.

“HIPAA regulated entities are required to implement authentication solutions of sufficient strength to ensure the confidentiality, integrity, and availability of their ePHI,” OCR concluded.

“A regulated entity’s risk analysis should guide its implementation of authentication solutions to ensure that ePHI is appropriately protected. As a best practice, regulated entities should consider implementing multi-factor authentication solutions, including phishing-resistant multi-factor authentication, where appropriate to improve the security of ePHI and to best protect their information systems from cyber-attacks.”