Streamlining Two-Factor Authentication for Health IT
While healthcare has long been lagging when it comes to standardizing and updating technology industry-wide, the final HIPAA omnibus rule released last year has not only healthcare organizations rushing to meet compliance, but also other health IT vendors that now fall under the scope of the revised rule.
That means any company that deals with electronic protected health information (ePHI) should be concerned about data security, including system weaknesses that could allow for a potential data breach.
According to HIPAA, the federally mandated Health Insurance Portability and Accountability Act, covered entities (healthcare organizations like healthcare providers, insurance companies and HMOs) and business associates (those that support the healthcare industry, like cloud service providers or electronic health record systems providers) are required to:
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov
And within the HIPAA Security Rule recommendations, the Dept. of Health and Human Services lists one possible risk management strategy to mitigate the loss or theft of login data as two-factor authentication:
Implement two-factor authentication for granting remote access to systems that contain ePHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)... - HIPAA Security Rule Guidance for Remote Use (PDF), HHS.gov
But not every two-factor authentication solution is created equal.
As outlined in an article by HealthITSecurity.com, Multi-Factor Authentication Options for Healthcare IT Managers, some of the major obstacles faced by healthcare CIOs and IT security staff include usability issues, large-scale deployment problems, administrator support headaches and more.
For solutions to each potential problem that might accompany the implementation of two-factor within a healthcare organization, read on below:
####Usability Problem: Users (physicians) don’t want to carry extra physical devices, especially if working at multiple locations, with each location requiring a unique device.
Solution: Employ a two-factor authentication solution that requires one device that can work across multiple locations, such as a mobile app that can be authenticated by the user’s personal phone via push notification.
####Large-Scale Deployments Problem: Two-factor has to be deployed to thousands of employees at several sites, including very large patient communities. This can be time-consuming and resource-heavy.
Solution: For faster and easier deployments for thousands of users, choose a two-factor authentication solution that gives administrators the ability to quickly provision - in a Microsoft environment, support for Active Directory synchronization gives you the option of provisioning users within an existing database, thus streamlining and automating the process.
####Unmanaged Equipment and Networks Problem: Supporting end user software or certificates can be a drain on IT resources; while oftentimes mobile devices, computers and network connections aren’t managed by the healthcare organization’s IT staff.
Solution: Find a two-factor solution that makes user management easy with enterprise groups management, allowing for greater administrative control. Advanced management controls should also include the ability to define trusted networks and devices, and comprehensive APIs that allow developers to build enhanced two-solutions designed especially for their organization’s needs.
####Resources Problem: IT departments are under pressure to keep the two-factor solution overhead down, while timelines are short and consequences for missed deadlines are high.
Solution: Go with a cloud-based two-factor solution that doesn’t require on-premise hardware or software to install, cutting down on overhead costs and personnel support. A wide variety of authentication methods can also reduce support tickets by giving users the ability to authenticate even if they’re offline, so check that your two-factor solution gives you that flexibility.
Streamlining your two-factor authentication solution to fit your healthcare organization’s needs can offer major security and compliance benefits. Invest in a two-factor solution that works for not only end users, but IT administrators, too.