Two-Factor Authentication for Electronic Health Record (EHR) Apps
The federally mandated switch from paper records to digital records has the healthcare industry transitioning to the widespread use of electronic health record systems (EHRs), but application security is still a concern.
According to the Ponemon Institute’s 2013 Survey on Medical Identity Theft, 1.84 million Americans were victims of medical identity theft, while last year the estimate was 1.52 million. With an estimated 313,000 increase in new cases, medical identity theft appears to be increasing year over year.
And, as Symantec’s Internet Security Threat Report 2013 discovered, the healthcare industry leads as the primary sector responsible for the largest percentage of disclosed data breaches by industry (36 percent). Education (16 percent) came in second, while government (13 percent) was third.
The type of data stolen includes sensitive patient data like SSNs, personally identifiable data, insurance info, medical history, diagnoses, prescriptions, etc.; all of interest to medical identity thieves that steal and sell medical data online.
Part of the federal push to adopt EHRs across hospitals and health systems nationwide includes incentives around proving Meaningful Use of EHRs. If a healthcare organization can prove they’re using certified EHR systems correctly (standardized data collection and sharing, more patient-controlled data, increased e-prescribing requirements and more), they’re eligible for an incentive payment that helps pay for the implementation of the software and provides health IT market stimulation.
EHR Access Security
What are EHRs? EHRs are real-time, patient-centered records systems that make information available to authorized users that need to access, update and maintain them frequently for patient care - but making sure only authorized users are allowed access is part of the health IT security battle.
Only 16 percent of healthcare organizations are using one-time passwords with two-factor authentication, according to Healthcare Information Security Today’s survey, 2013 Outlook: Survey Offers Update on Safeguarding Patient Information (PDF). The report quoted Mark Combs, CISO survey participant from WVU Healthcare:
Passwords, especially weak passwords, are probably one of the biggest threats to organizations. There are users who share them, who fall prey to social engineering and who leave them written on pieces of paper near their workstation. Implementing a stronger authentication method, albeit one that would not impact provider workflows, could immediately strengthen our security posture.
Designing for App Security with Two-Factor Authentication
Securing EHR applications with a two-factor authentication method that doesn’t impact provider workflows can strengthen access security. Using a two-factor method tied to a mobile app on your smartphone provides an easy way to authenticate using a device you already have, while push notifications give you fast access with just one tap to gain access.
And under federal regulations permitting the e-prescription of controlled substances, the regulations require the use of two-factor authentication, according to HealthIT.gov. Health app developers should pay attention to security requirements of the industry to provide marketable apps and modules that will actually work for their clients.
Integrating two-factor with existing applications or platforms is easy with Duo’s APIs for Developers. Focusing on building access controls into health IT applications with two-factor authentication can help prevent healthcare data breaches.