OCR Reminds Companies that Authentication is Key
In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter. This month’s newsletter focuses on the topic of authentication. OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).
The HIPAA Security Rule requires covered entities and business associates to establish reasonable and appropriate authentication procedures to confirm that the person or entity trying to access ePHI is in fact who they represent themselves to be. Healthcare entities often use many different platforms for accessing ePHI, including internet portals, personal devices, and software applications. Therefore, healthcare entities must make sure that each system has safeguards in place to prevent unauthorized users from accessing this information.
In the newsletter, OCR recommended that covered entities and business associates should conduct a company-wide risk analysis to find weaknesses in authentication methods and assess the levels of risk involved. Based on this risk analysis, the company should then examine the likelihood of risks and vulnerabilities relating to ePHI and consider instituting an authentication method based on the company’s size, complexity, and capabilities. The company should also decide whether a single-factor or multi-factor authentication is appropriate based on the risk analysis. Single-factor authentication uses one factor (something the individual or entity knows, is, and/or has) to gain access to a system; multi-factor authentication requires two or more of these factors.
As evidenced by the newsletter, authentication remains an important component of a robust security system for healthcare companies. As companies increasingly turn to electronic systems for the storage and exchange of ePHI, they need to ensure that only those who are authorized to access the information are allowed into the system.