- Hospital health IT departments are gaining capabilities for two-factor authentication at an increasing rate, helping to improve healthcare data security.
Two-factor authentication capabilities are important for increasing health data security, the Office of the National Coordinator for Health IT (ONC) reported, because it puts more barriers between sensitive health information and potential data thieves.
According to a recent report from the ONC, the number of hospitals with two-factor authentication capabilities has increased by 53 percent since 2010 (Figure 1).
In 2010, only about one-third of hospitals had these security capabilities; however, by 2014, nearly half of surveyed hospitals had two-factor authentication capabilities.
Two-factor authentication means that users need to input more than just a username and password in order to log into a certain data portal.
Several systems require users to answer a security question or enter biometric data such as a fingerprint scan as the additional input criterion.
ONC researchers also found that two-factor authentication capabilities vary depending on the size of a healthcare organization.
For example, large and medium institutions are far more likely to have two-factor authentication, with nearly 60 percent of them having these security capabilities. However, only about 35 to 40 percent of critical access hospitals and small rural hospitals have these capabilities. Approximately 50 percent of small urban hospitals have two-factor authentication (Figure 2).
Additionally, ONC found that two-factor authentication capabilities varied from state to state.
For example, Montana had as few as 19 percent of its hospitals with two-factor capabilities, while Ohio had 93 percent of its states with that ability. Twenty states have at least half of their hospitals with two-factor authentication abilities.
As electronic storage of health information continues to increase through the use of EHRs, cybersecurity measures are going to become increasingly important. Two-factor authentication can play a major role in these security measures.
“As electronic health information becomes more widely available, proper security measures must be implemented to ensure the information is only accessible to those with the rights to access it. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to verify that a person seeking access to electronic protected health information (ePHI) has authorization,” ONC researchers explained. “Two-factor authentication can satisfy this HIPAA requirement.”
Two-factor authentication can also be useful in e-prescribing medications. Specifically, ONC explained that the two-factor authentication rule for e-prescribing controlled substances helped decrease the number of adverse opioid effects and mortalities.
“This rule gives practitioners the option to electronically prescribe prescriptions with several options for obtaining authentication credential. Additionally, the increased use of two-factor authentication by practitioners may help support the Secretary’s initiative to decrease opioid related deaths and morbidity,” ONC explained.
Two-factor authentication is one of many HIPAA-compliant technical safeguards the Department of Health and Human Services suggests using to increase health data security. HHS also suggests various safeguards such as device encryption, firewalls, and the de-identification of data, among several others.
Furthermore, healthcare security professionals may need to employ several different safeguards. While ONC’s research shows that the use of two-factor authentication is becoming more popular, that safeguard needs to be paired with another in order to be more effective.
In addition to authentication capabilities and other technical safeguards, IT security professionals should also add security elements in administrative and physical safeguards. This can include thorough employee training, regular risk assessments and locks on all exterior doors.
While HIPAA does dictate which safeguards practices must implement in order to stay compliant, health IT professionals should thoroughly explore the various types and determine the ones that will work best for their specific organization’s needs. This customized approach toward health data security will prevent practices from concentrating on security measures that might not work for them and neglecting measures that will.
Image Credit: The Office of the National Coordinator for Health IT