Dive Brief:
- HHS’ Office for Civil Rights is exhorting healthcare organizations to reassess their electronic authentication methods in light of the recent uptick in cyberattacks.
- In its cyber awareness monthly update, OCR reminds HIPAA covered entities must have reasonable and appropriate authentication procedures to verify that someone seeking access to electronic protected health information is who they claim to be.
- However, some security professionals suggest OCR should have pressed for broader use of multifactor authentication as a means to prevent data breaches, Healthcare Info Security reports.
Dive Insight:
Covered entities and their business associates should perform an enterprise-wide risk analysis to identify cyber vulnerabilities and how various types of breaches could affect their business, OCR urges. Based on the vulnerabilities that are found and the likelihood of electronic protected health information (ePHI) being compromised, entities should consider different forms of authentication to reduce those risks.
The two most common forms are single-factor authentication (e.g. a password) and multifactor authentication, which requires two or more forms of identification like a smart card key and a fingerprint.
“Not only is multifactor authentication secure, but its mere existence acts as a deterrent to hackers,” Dan Berger, CEO of security consultancy Redspin, told Healthcare Info Security. “Hackers always gravitate to the easiest path—and cracking a multifactor authentication implementation is incredibly time-consuming.”
This year has seen a spate of high-profile health industry cyberattacks. In August, Bon Secours Health System alerted more than 650,000 patients that their ePHI may have been breached. The attack followed a hack on Banner Health that compromised payment data for 3.7 million individuals.
Cyber criminals also hit Hollywood Presbyterian Medical Center and MedStar Health earlier this year.