Research and analysis done by SecureAuth + Core Security determined that while once two-factor authentication techniques were sufficient in deterring electronic Protected Health Information (ePHI) attacks, they are no longer strong enough to keep these attacks at bay. This is an issue every industry faces; the health care industry in particular. Health care organizations need to be even more wary of these risks because HealthITSecurity.com says that they “are subject to a higher standard of scrutiny with regard to security and privacy requirements, due to regulations such as HIPAA.”
These organizations/corporations cannot solely rely on preventative methods to keep attackers from accessing information. They must begin implementing “powerful risk-based adaptive authentication strategy that can supplement multi-factor authentication (MFA),” according to SecureAuth + Core Security. Health care organizations need to adhere to these measures because most hackers use legitimate credentials to log into and infiltrate a network. MFA requires “something you have” (such as a security token or a biometric identifier like a fingerprint) as well as “something you know” (a password) to protect your information, as stated in the white paper “Increasing Identity Security without Increasing User Disruptions”.
Although Multi-Factor Identification techniques are great in practice, the more challenging part is their implementation. There is a fine balance between increasing security and increasing user disruptions. You want to be able to build and support a comprehensive network that is both secure and functional. When implementing greater security measures, many companies make the error of not assessing how it will affect its users. In adding a layer of complexity, it’s easy to overlook the disruptions in user activity, increased frustrations, and productivity decline.
Many facilities are implementing these various aspects in order to best protect their patients’ data. Houston Methodist Hospital revamped their system in order to “provide secure remote access to sensitive patient, physician and employee information while protecting access to a wide range of applications that include both on-premise and cloud-based architectures.” In order to do so, the company has a data security team, a storage team, and a team of database administrators. Having seven different facilities, Houston Methodist relies heavily on secure remote access. With many different personnel accessing ePHI remotely, data security is a huge priority.
Houston Methodist’s goal is to provide accessibility without compromising security; a goal all health care organizations should have. Through the years, they have implemented a variety of different two-factor security measures: domain credentials, a question- and answer-based system, as well as hard and soft tokens. They feel secure in the fact that they don’t have to compromise their security and values to be able to have the connectivity they require. With the implementation of a MFA that is also user friendly, Houston Methodist Hospital has been able to improve their overall patient care across all of their facilities.
With all of this in mind, it’s also important to note that the top defense mechanism against attacks still remains in the hands of the users, aka your employees. The only way for hackers to truly remain outside of your network is to adequately train your employees and ensure that they are using best practices when handling confidential ePHI. You can do this by teaching your employees to follow the technical safeguards outlined in HIPAA’s Security Rule.
If you would like help training your employees to better protect ePHI and adhere to the HIPAA standards, contact HIPAAgps today. We offer an extensive training program that breaks down the Privacy and Security Rules, along with how to handles breaches. Make sure your employees know how to protect your patient’s information.