Health and Human Services Office for Civil Rights recently provided information and guidance on authentication practices for health care organizations.
With the increase in cybercrime in the news, it’s no surprise that the OCR is working on helping health care organizations better protect their networks. In the November newsletter, the OCR suggested looking at authentication practices in health care.
Authentication is the process of verifying the person accessing protected health information (PHI) is who they say they are. This can even include software that accesses PHI. This helps to enable health care organizations to keep unauthorized people or software from accessing PHI.
Methods of authentication usually include passwords or passphrases, fingerprints, smart cards or tokens. Many organizations will require multi-factor authentication with regards to electronic PHI, meaning two passwords or passphrases are required for access, or using a password and smart card.
So what did the OCR have to say about authentication?
Once again, the OCR reminded Covered Entities and Business Associates to conduct an enterprise-wide risk analysis or risk assessment. This should identify any vulnerability in their authentication methods, possible threats that could exploit their weaknesses, the likelihood of a breach occurring, and the possible impact on their business if a breach were to occur. Then, the organization would need to determine if the current authentication is adequate or if changes need to be made.
The OCR stated that organizations should take into consideration the size of their organization, the complexity and capabilities of their current systems and software, and other possible security capabilities.
While the OCR provided information on multi-factor authentication, no recommendations were made in its usage. Here at HIPAAgps, we highly suggest at least using two different passwords or passcodes when accessing PHI. Ensure that all computers require a password to log on, and then require another password portal to access PHI.
Finally, the OCR provided a link to the NIST special publication on Electronic Authentication for more reading and research on the subject.
Use the HIPAAgps simple, online risk assessment to help you determine your vulnerabilities today.