The traditional login process with a username and password is insufficient in an increasingly hostile healthcare data environment. Two-factor authentication (2FA) has become increasingly important. While the technology is not mandatory under HIPAA, HIPAA Journal noted that it is a smart way to go from a compliance perspective – actually calling the method "the best way to comply with the HIPAA password requirements." (To learn more about 2FA, see The Basics of Two-Factor Authentication.)
An interesting thing about 2FA (sometimes expanded into multi-factor authentication, MFA) is that it is in place at many healthcare organizations – but for other forms of compliance, including the Drug Enforcement Administration's Electronic Prescription for Controlled Substances Rules and the Payment Card Industry Data Security Standard (PCI DSS). The former is the basic guidelines to be used in prescribing any controlled substances electronically – a set of rules that is parallel to the HIPAA Security Rule in specifically addressing technological safeguards to protect patient information. The latter is actually a payment card industry regulation that governs how any data associated with card payments must be protected to avoid fines from the major credit card companies.
The EU's General Data Protection Regulation draws the concern with 2FA into even greater focus throughout the industry, given its additional oversight and fines (and its applicability to any organization that handles European individuals' personal data).
2FA Long Trusted by Federal Regulators
Two-factor authentication has been recommended by the HHS Department's Office for Civil Rights (OCR) for many years. In 2006, the HHS was already recommending 2FA as a best practice for HIPAA compliance, naming it as the first method to address the risk of password theft which could, in turn, lead to the unauthorized viewing of ePHI. In a December 2006 document, HIPAA Security Guidance, the HHS suggested that the password theft risk is addressed with two key strategies: 2FA, along with the implementation of a technical process for creation of unique usernames and authentication of remote employee access.
Study: Two-Factor Authentication Underused for HIPAA
The Office of the National Coordinator for Health Information Technology (ONC) has shown its specific concern with this technology through its "ONC Data Brief 32" from November 2015, which covered adoption trends of 2FA by acute-care hospitals around the country. The report was on how many of these institutions had the capability for 2FA (i.e., the capability for the user to adopt it, as opposed to a requirement for it). At that point, in 2014, it certainly made sense that the regulators were pushing it, given that less than half the study group had it implemented, although with numbers rising:
● 2010 – 32%
● 2011 – 35%
● 2012 – 40%
● 2013 – 44%
● 2014 – 49%
Certainly, 2FA has been more widely adopted since that point – but it is not ubiquitous.
2FA Documentation IS Required
Another aspect that is important to note is the need for paperwork – which is critical if you end up getting investigated by federal auditors, while also fulfilling risk analysis requirements, provided that you include that discussion. Documentation is necessary since the password rules are listed as addressable – meaning (as ridiculous as it may sound) to provide documented reasoning for using this best practice. In other words, you do not have to implement 2FA, but must explain why if you do.
2FA Software Does Not Itself Need HIPAA Compliance
One of the biggest challenges with 2FA is that it is inherently inefficient since it's adding a step to a process. Actually, though, the concern that 2FA slows healthcare down has been allayed, to a great deal, by the surge of single sign-on and LDAP integration functions for integrated authentication between healthcare systems.
As noted in the header, 2FA software itself does not (humorously enough, since it's so critical to compliance) need to be HIPAA-compliant since it transmits PINs but not PHI. While you can choose alternatives in lieu of two-factor authentication, top divergent strategies – password management tools and policies of frequent password changes – are not as easy a way to comply with HIPAA password requirements. "Effectively," noted HIPAA Journal, "Covered Entities never need to change a password again" if they implement 2FA. (For more on authentication, check out How Big Data Can Secure User Authentication.)
HIPAA Objective: Ongoing Risk Mitigation
The importance of using strong and experienced hosting and managed service providers is underscored by the need to go beyond 2FA with a comprehensive compliant posture. That's because 2FA is far from infallible; ways that hackers can get around it include the following:
● Push-to-accept malware that pummels users with “Accept” messages until they finally click it in frustration
● SMS one-time password scraping programs
● SIM card fraud via social engineering to port phone numbers
● Leveraging mobile carrier networks for voice and SMS interception
● Efforts that convince users to click bogus links or log into phishing sites – handing over their login details directly
But do not despair. Two-factor authentication is just one of the methods you need in place to meet the parameters of the Security Rule and maintain a HIPAA-compliant ecosystem. Any steps taken to better protect information should be seen as risk mitigation, continually bolstering your efforts at confidentiality, availability and integrity.