Multi-Factor Authentication on the Way for Healthcare

Last updated: 05 February 2015

This week, I am the bearer of good news – it looks like multi-factor authentication is going to be a mandatory requirement in the US healthcare system.

First things first, some background: as we speak, a federal advisory group (HIT Policy Committee) is shaping policies which will affect how we access information in our healthcare system.  This all stems from the American Recovery and Reinvestment Act (ARRA) which included the Health Information Technology for Economic and Clinical Health Act (HITECH Act). HITECH was enacted to accelerate the federal initiative for adoption of Electronic Health Records (EHR) while allowing health care providers and hospitals to receive incentive payments for their adoption.

On September 6, the HIT Policy Committee voted to accept recommendations from its Privacy and Security Tiger Team to require multi-factor authentication in certain cases involving remote access to patient information for stage 3 of HITECH. More specifically, the authentication would have to meet NIST Level of Assurance 3 (NIST.LOA-3) standards, which specifies the use of multi-factor remote network authentication, with a minimum of two-factor authentication.

Two-factor authentication is comprised of something you have (like a smart card or token) and something you know (like a password).  You must have both factors to be able to log onto a network or system.  Adding a third factor of something you ‘are’ (like a fingerprint biometric) to the mix makes the security even stronger.

The ‘certain cases’ I mentioned earlier relate to healthcare employees accessing patient records in the following scenarios:

– From outside of an organization’s private network

– From an IP address not recognized as part of the organization or that is outside of its compliance environment

– From across a network any part of which is or could be unsecure, such as across the open Internet or using an unsecured wireless connection

There are a few different ways healthcare organizations can meet the requirement for multi-factor authentication: smart cards, one-time passwords, and software-based tokens all fit the bill.  If we are talking about remote access to sensitive data, I must urge healthcare organizations to go with a physical token or smart card as this ‘second factor’.  It’s the only way to really be sure that the person who is accessing the data is who they say they are, and are really in front of that computer.

As the US healthcare industry moves from a paper-based to an electronic infrastructure, one of the key ingredients to making this a success is security.  We need to know who is accessing this sensitive information and that they are indeed who they say they are.  Suffice to say, we are all glad that the HIT Policy Committee is on board with multi-factor authentication.

2 thoughts on “Multi-Factor Authentication on the Way for Healthcare

  1. I have been watching the debate around the security in Healthcare, there has been a big debate over which methods of security are best suited to add additional layers of security and authentication for account access and transaction verification without being unreasonably expensive or complex. There is a need to step up the implementation of Two-Factor authentication and make it so employees can telesign into the system and access patient data securely.

    1. Hi Terry – thanks for your comment and thoughts on this topic. I completely agree with you that there is a definitive need for two-factor authentication in healthcare. The emphasis I feel should also not only be on reducing cost and complexity but also in ensuring that healthcare employees can both securely and conveniently telesign into the relevant system to access patient data. Security and convenience must go hand in hand here.

      The security of personal health information is far different compared to other types of personal information including financial. If credit card information is compromised resulting in unauthorized purchases, the affected consumer can simply call the bank and report a fraudulent transaction and have it removed and the account credited. It may take a letter or two to the credit reporting agencies, but it can get cleared up. Today there are no policies and procedures in place to restore one’s health information. Personal health information and electronic medical records is highly sensitive information and warrants the need for very high confidence in the accuracy of the asserted identity. Once it is compromised and in the wrong hands the data contained is irreversible and the consequences can affect the victim for a lifetime.

      The US HHS may mandate NIST’s Level of Assurance (LoA) 3, but it really needs to mandate Level 3 or Level 4. The requirement should clearly explain the differences and the additional security and multiple purposes a LoA 4 solution can offer to reduce fraud, protect patient privacy and secure access to the electronic health records.

      Let me know if there are other topics you’d like to see on our blog too. Best, Michael.

Leave a Reply

Your email address will not be published. Required fields are marked *