- During last week’s Health IT Standards Committee (HITSC) Privacy and Security Workgroup Meeting, members continued to debate and discuss the 2015 notice of proposed rule making (NPRM). Specifically, the group looked at recent draft discussions of EHR authentication, access control, and authorization capabilities.
One topic of interest was multi-factor authentication as it relates to EHR certification and members went back and forth in debating whether there are standards in place to judge multi-factor authentication capabilities.
The Office of the National Coordinator for Health Information Technology (ONC) had previously stated that it would move toward requiring multi-factor authentication, meeting NIST Level of Assurance (LOA) 3, from provider users to remotely access protected health information (PHI). However, the HITPC suggested that the HITSC should investigate how the ONC would test the HITPC’s recommendation (for two-factor authentication) in certification criteria.
ONC was asking about LOA 3 in terms of Stage 3 Meaningful Use multi-factor authentication. Dixie Baker, Chair, Martin, Blanck, and Associates, had previously indicated that the work group should revisit the question of whether ONC should adopt a general two-factor authentication capability requirements as a prerequisite to EHR technology certification. To this point, Baker didn’t think the work group has addressed that question specifically.
The group debated two main aspects of multi-factor authentication:
1. “Whether we should adopt a general two-factor authentication capability requirement for certification…[which] could complement e-prescribing of controlled substances requirements and more definitively support security requirements for remote access to EHR technology as well as any other EHR technology uses that may require two factor authentication.”
2. “Whether the HITPC’s recommendations are appropriate and actionable and, if not, what level of assurance should be the minimum required for provider-users seeking remote access to EHR technology.”
Peter Kaufman, Member, DrFirst, said that there are new things on the horizon, such as the 3D fingerprint that has multiple hardware factors built into it and prevents spoofing, that the group may want to revisit in the future but hasn’t been tested yet and really isn’t affordable. Walter Suarez, Co-Chair, Kaiser Permanente, however, preached caution.
A general two-factor authentication capability across the board, because I think there are situational needs for the technology. If there’s a requirement, the question would be who within organizations would need to use the two-factor approach. Would this solely be needed in areas such as e-prescribing or remote access?
After Baker reminded members that providers wouldn’t have to use the authentication mechanism all the time and can turn it on and off, John Moehrke, Member of the HITSP said that this is a good goal. But since they’re the standards committee, it has to say what standards the technology would be measured against. “Beyond the NIST abstract standards, I don’t know of a standard that could be measured against,” he said. “There isn’t a good way to consistently measure two-factor authentication capability.”
Kaufman added that there actually is a NIST level 3 testing that organizations could use as a two-factor baseline, but there was disagreement among members as to whether this fit into most types of EHR modules.