Hospitals Increase Infrastructure Support for Two-Factor Authentication
While less than half of hospitals currently support an infrastructure for two-factor authentication, the percent has increased significantly over the past 6 years - 53 percent since 2010, as reported by the Office of the National Coordinator for Health IT (ONC).
U.S. states that report the highest capability to support two factor include Ohio (93%), Vermont (83%) and Delaware (81%).
In a data brief (PDF) released in November, the federal agency that enforces HIPAA compliance across healthcare organizations stated that two-factor authentication can satisfy the requirement to verify a person seeking access to electronic protected health information (ePHI) has authorization.
The ONC brief also lists two-factor authentication as an essential capability for providers who e-prescribe controlled substances, as decreed by the Drug Enforcement Administration (DEA).
Two Factor for Every Hospital, Small and Large
As expected, small rural and critical access hospitals reported lowest levels of capability for two factor, while medium and large hospitals reported higher levels of capability. However, small urban hospitals reported that 51 percent have the capability for two-factor authentication.
As a Ponemon Institute study found, no healthcare organization, regardless of size, is immune from a data breach. And as criminal attacks rise to the number one cause of healthcare data breaches, it’s time for hospitals of all sizes to recognize the need to support information security solutions.
The Verizon 2015 Data Breach Investigations Report (DBIR) found that 95% of web application attacks involved stolen user credentials, which is why the ONC has focused its attention on two-factor authentication adoption rates and capability to support the necessary infrastructure.
Tech Analysts & HIMSS Call for Two-factor Authentication
As Forrester analyst Stephanie Balaouras stated in an article with CNBC, when it comes to preparedness, the healthcare industry is woefully behind, focusing more so on compliance rather than privacy.
Forrester advises that the healthcare industry:
- Adopt two-factor authentication for access to databases containing sensitive patient information
- Use behavioral analytics to identify suspicious behavior and encrypt data
- Realize that identity protection is no longer a good enough mea culpa
Similarly, the Healthcare Information and Management Systems (HIMSS) Identity Management Task Force (IDM TF) recommends the use of two-factor authentication to ensure a patient’s identity when they access their own health data through a patient portal.
In their recommendation for security requirements (PDF), the taskforce acknowledges the National Institute of Standards and Technology (NIST)’s security standards in a statement about strengthening authentication security:
We believe that raising the confidence level of patient authentication now is important to counteract the rising security risk of using passwords alone. We also found that the proofing and authentication methods used in healthcare do not always match the prescriptive methods that qualify for the NIST levels, but they could be evaluated and judged to be equivalent where appropriate.
This is a good example of why two-factor authentication is a wise choice to roll out broadly and implement across many different use cases in which any type of user is authenticating to a system with sensitive healthcare data.
Modernizing Security for Ease of Integration, Deployment & Usability
But two factor adoption rates may only increase, as two-factor authentication has been modernized and streamlined significantly since its inception.
Instead of clunky tokens that require hospital professionals to type in a one-time passcode to authenticate, new sleek mobile apps allow users to login with the touch of a button on a number of devices, including smartphones, tablets and smartwatches.
This provides a frictionless user experience, and doesn’t slow down hospital employees and their login workflow. It’s also an affordable solution that can be rolled out to a large number of employees, including remote and contract.
And to cut down on the number of logins, single-sign on solutions can be easily integrated with two-factor authentication, allowing a user to sign on once and access multiple applications.