password mfa

HIPAA and Cybersecurity Authentication

Losing a password used to be the punchline to jokes. But today, passwords and cybersecurity defense are serious business, and no one is joking after experiencing a data breach. Passwords are both your strongest defense and weakest link. Strong when managed well and weak when they’re easy to compromise. You can make them stronger by using smart authentication practices to stop data breaches and strengthen HIPAA compliance.

Top HIPAA enforcement regulators at the Office for Civil Rights (OCR) offer good advice about how to strengthen passwords. In its June 2023 Cybersecurity Newsletter OCR discusses the importance of authentication practices to validate that a user is who they claim to be. Quoting from the HIPAA Security Rule, OCR notes that covered entities and business associates must implement authentication procedures “to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

OCR notes that poor authentication practices have been identified as contributing factors in recent high profile cyberattacks. In 2021 a major fuel pipeline was shut down due to a ransomware attack, and the same year a major U.S. meat supplier was also shut down temporarily due to a cyberattack. In both cases the incidents began with a threat actor compromising old user profiles with weak passwords.

Multi-Factor Authentication

OCR describes how authentication practices have evolved. In the beginning it was straightforward using one step. Today multi-factor authentication (MFA) is essential.

The classic model of authentication only required a username and one or more authentication factors. Historically, three factors form the cornerstones of authentication:

  • Something you know (e.g., password, personal identification number (PIN))
  • Something you have (e.g., smart ID card, security token)
  • Something you are (e.g., fingerprint, facial recognition, other biometric data)

Single factor authentication requires only one of the factors listed above, usually a password (i.e., something you know). But multi-factor authentication requires the use of two or more distinct factors.

Multi-factor authentication makes it more difficult for attackers to gain unauthorized access because even if an initial factor (such as a password or PIN) is compromised, the requirement of one or more additional distinct factors reduces the chance that an attacker will succeed.

Top cybersecurity experts today agree that multi-factor authentication should be the norm. OCR notes that the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute for Standards and Technology (NIST) and the U.S. Department of Health & Human Services (HHS) 405(d) Task Group all recommend MFA.

However, not all MFA solutions are equally effective, and some may be more prone to compromise than others. CISA specifically recommends implementing phishing-resistant MFA to add an extra layer of defense. OCR explains:

Phishing resistant multi-factor authentication is designed to detect and prevent disclosures of authentication data to a website or application masquerading as a legitimate system. An example of phishing resistant multi-factor authentication would require a password or user biometric data coupled with a phishing resistant authenticator such as a Personal Identity Verification (PIV) card or other cryptographic hardware or software based token authenticator (e.g., Fast Identity Online (FIDO) with WebAuthn authenticator). The layered defense of a properly implemented multi-factor authentication solution is stronger than single factor authentication such as relying on a password alone.

HIPAA Requires Strong Authentication Practices

Authentication improves security but it’s also a requirement of HIPAA compliance. OCR recently settled a HIPAA investigation involving Banner Health  after discovering that the Phoenix health system had failed to implement an authentication process to safeguard protected health information (PHI).

OCR also alleged that Banner Health failed to perform a Risk Analysis to determine the risks to PHI across the organization and failed to implement appropriate security measures to protect PHI as it was transmitted electronically.

OCR notes that HIPAA is designed to be “flexible, scalable, and technology neutral” and therefore, does not mandate a specific authentication solution for every organization in every situation:

Instead, a regulated entity’s Risk Analysis should inform its selection and implementation of authentication solutions that sufficiently reduce the risks to the confidentiality, integrity, and availability of ePHI (electronic protected health information). Different touchpoints for authentication throughout a regulated entity’s organization may present different levels of risk, thus requiring the implementation of authentication solutions appropriate to sufficiently reduce risk at those various touchpoints. For example, remote access to a regulated entity’s information systems and ePHI may present a greater risk than access in person, thus stronger authentication processes (e.g., multi-factor authentication) may be necessary when permitting or expanding remote access to reduce such risks sufficiently. CISA recommends that organizations consider implementing multi-factor authentication solutions on their “Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs).

Risk Analysis is Step Number One

Use the Risk Analysis to design your own unique solutions that fit your situation and levels of risk. The Security Rule Checklist in The HIPAA E-Tool® covers all the bases. It’s easy to follow and provides follow-up steps tailored to your needs. Protect your data and stay ahead of the HIPAA enforcers by getting started now.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124