HIPAA Security Rule Requires Strong Authentication in the Healthcare Industry

Less than a decade ago the ONC, Office of the National Coordinator, was given executive order to develop and implement a nationwide interoperable health information technology infrastructure now known as HIT. The infrastructure was created for many reasons such as nationwide use of electronic health records, reduction of medical errors and ensuring patient's privacy of health information.

However, the IT security controls put into place for HIT were not in compliance with HIPAA Security Rule. Not until the Office of Inspector General or OIG audited the information technology security of some healthcare facilities and found their IT security controls provided inadequate protection. The HIPAA Security Rule is now utilized by the ONC to appropriately identify whether the proper IT security controls are in place and is enforced for compliance by OCR, the Office for Civil Rights. Without this regulation Health Information Technology systems can be left exposed to vulnerabilities.

It is required by the ONC for healthcare facilities to provide confidential records with the proper security, differing to the HIPAA Security Rule for compliance. A part of compliance requires the use of strong authentication such as two-factor authentication to identify a user accessing confidential data. Furthermore the process should not utilize email passwords or any password delivery system which transmits the password in plain text to ensure proper security.

Part of the two-factor authentication process for strong authentication is a one-time password. In order to provide adequate security the OTP must be sent through a secure delivery system including an authentication token device or sometimes a mobile phone if the process is utilizing zero footprint technology. Although tokens can provide the security level needed for strong authentication the solution is expensive and the user could potentially misplace the token.

Healthcare facilities are becoming paperless and moving to electronic health records, that teamed up with mobile devices such as smartphones and tablet PCs puts confidential data at risk if the data is not properly secured during access. This means stronger authentication and encryption to protect against hackers. Malware and malicious apps created specifically for smartphones like iPhones and Droids provide attackers with leverage for siphoning data during access unless the information is properly encrypted.

Encryption is recommended by the Office of Management and Budget in the OMB Memorandum M-06-16, "Protection of Sensitive Agency Information." Also any remote access from these types of devices also requires a two-factor authentication process in which one factor is transmitted through a device separate from the one used for gaining access.

As per regulation put into place by the Office of the National Coordinator healthcare facilities are required to utilize a strong authentication during access of confidential data. Providing privacy to patients through higher security standards as stated in the HIPAA Security Rule. Although this was not always the case, patients can rest assure that audits by the Office of Civil Rights will provide adequate representation of their confidentiality needs and continuing to do so in the future with mobile device security.