OCR Urges Covered Entities to Review Authentication Controls

HIPAA requires covered entities and their business associates to implement ‘reasonable and appropriate authentication procedures’ to ensure that only individuals authorized to access electronic protected health information (ePHI) are able to gain access to data and systems containing those data.

This week, the Department of Health and Human Services’ Office for Civil Rights has chosen authentication controls as the subject for its November Newsletter in an effort to encourage covered entities to review and revise their authentication procedures to prevent hackers and malicious insiders from exploiting weak authentication controls to gain access to ePHI.

Authentication is the process of establishing the identity of an individual prior to access to data or systems being granted. The extent to which identities are checked varies between organizations and is often dependent on the sensitivity of data. The more sensitive the data, the greater the controls usually are to verify the identity of the user.

Authentication is based on one or more criteria such as something you know, something you are, or something you have. Something you know is typically a password set by the user. Something you are includes fingerprints or voiceprints, while something you have could be a smart card or token.

In the healthcare industry, authentication controls typically take the form of passwords or passphrases, which are used to control access all systems containing ePHI including EHRs, software applications, medical devices, computers and servers, internet portals, and public and private networks.

HIPAA-covered entities can use single-factor authentication controls – such as a password or pass phrase – or multi-factor authentication, which uses two or more procedures to verify the identity of an individual before access is granted. Multi-factor authentication allows covered entities to have much greater confidence in the identity of a user before data access is granted.

According to OCR, the decision about the type of authentication to use should only be made after an organization has performed an accurate, comprehensive, and thorough enterprise-wide risk analysis.

The risk analysis should identify all potential risks to ePHI along with vulnerabilities in current authentication controls and practices. Potential threats to ePHI should be identified and weaknesses in authentication controls assessed. Organizations should determine the probability of a breach occurring and the impact such a breach would have on the business.

Only after such a process has been completed will covered entities be able to accurately determine the level of risk, and therefore be in a position to choose authentication controls that are reasonable and appropriate to mitigate those risks.

According to OCR, covered entities should “Consider, based on the probability of potential risks and vulnerabilities to their ePHI, implementing a form of authentication that is reasonable and appropriate for their size, complexity, and capabilities, and their technical infrastructure, hardware, and software security capabilities.”

For details of the authentication controls that can be used, the degree of assurance that each provides, advice on lifecycle requirements and session management, and the privacy and usability considerations, covered entities have been referred to the Electronic Authentication Guidelines issued by the National Institutes of Standards and Technology (NIST) in August 2013 (SP 800-63-2). Further information can be found in the latest draft guidance on digital authentication (SP 800-63-3), published in May 2016.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.