This week, I am the bearer of good news – it looks like multi-factor authentication is going to be a mandatory requirement in the US healthcare system.
First things first, some background: as we speak, a federal advisory group (HIT Policy Committee) is shaping policies which will affect how we access information in our healthcare system. This all stems from the American Recovery and Reinvestment Act (ARRA) which included the Health Information Technology for Economic and Clinical Health Act (HITECH Act). HITECH was enacted to accelerate the federal initiative for adoption of Electronic Health Records (EHR) while allowing health care providers and hospitals to receive incentive payments for their adoption.
On September 6, the HIT Policy Committee voted to accept recommendations from its Privacy and Security Tiger Team to require multi-factor authentication in certain cases involving remote access to patient information for stage 3 of HITECH. More specifically, the authentication would have to meet NIST Level of Assurance 3 (NIST.LOA-3) standards, which specifies the use of multi-factor remote network authentication, with a minimum of two-factor authentication.
Two-factor authentication is comprised of something you have (like a smart card or token) and something you know (like a password). You must have both factors to be able to log onto a network or system. Adding a third factor of something you ‘are’ (like a fingerprint biometric) to the mix makes the security even stronger.
The ‘certain cases’ I mentioned earlier relate to healthcare employees accessing patient records in the following scenarios:
– From outside of an organization’s private network
– From an IP address not recognized as part of the organization or that is outside of its compliance environment
– From across a network any part of which is or could be unsecure, such as across the open Internet or using an unsecured wireless connection
There are a few different ways healthcare organizations can meet the requirement for multi-factor authentication: smart cards, one-time passwords, and software-based tokens all fit the bill. If we are talking about remote access to sensitive data, I must urge healthcare organizations to go with a physical token or smart card as this ‘second factor’. It’s the only way to really be sure that the person who is accessing the data is who they say they are, and are really in front of that computer.
As the US healthcare industry moves from a paper-based to an electronic infrastructure, one of the key ingredients to making this a success is security. We need to know who is accessing this sensitive information and that they are indeed who they say they are. Suffice to say, we are all glad that the HIT Policy Committee is on board with multi-factor authentication.