HIPAA & Strong Authentication
The HIPAA (Health Insurance Portability and Accountability Act) of 1996 was a sweeping piece of reform that forever changed and challenged how medical information was handled in the US. In many ways the reforms were before their time instead of closing the barn door after the horse got out. It is the critical set of standards for the age of on-line medical records in the US. It was set to be fully realized in 2005 but with the depth and breadth of the legislation in many areas of Health Information that was tough both financially and technically.
Today we are still grappling with the legislation, the implementations and adding to that our increasingly mobile society. There are cell phones, tablets, and laptops as well as services that are contracted-out such as medical billing, account processing, EMRs (Electronic Medical Records), etc… This means that information must be protected and both old and new ideas are in play to secure it.
So ‘strong authentication’ (also known as ‘two factor’ authentication) can help solve some of the issues surrounding HIPAA compliancy requirements. To do this we probably should define ‘strong authentication.’
For Authentication to be considered two factored it must conform to two of the three following pre-suppositions:
- Something you know, such as a password, pin code, etc
- Something you possess, such as a token, ATM card, etc
- Something unique about you such as fingerprints, ocular blood vessels, etc.
For the folks just playing along, that is why many companies ask for the 3 digits on the back of a credit card, etc.
Now in pulling strong authentication into HIPAA compliance, that is one of the places where strong authentication thrives. Strong Authentication can be directly applied to three areas of the HIPAA regulations and also help solve a fourth area. The regulations that are specifically made for the strong authorization union are found primarily in sections 164.308 and 164.312.
Section 164.308(b)(1) addresses – Business Associate Contracts and Other Arrangements which need to be controlled and the access to PII (personally identifiable information) managed. Strong Authentication helps ensure that those who need access can get access.
Section 164.312(d) – Person or Entity Authentication. Strong Authentication also should be extended to any mobile devices and wi-fi within an environment. Locking down the hard network is not the only area of exposure.
Section 164.312 (a)(1)(i) – Unique User Identification. Most places have a handle on this regulation but there are still shared accounts and passwords around. These need to track back to the individual user via strong authentication.
Section 164.308(a)(3)(B) – Access Management. In some areas this can be addressed with Strong Authentication and role management. It can help address this area as it applies to physical access also. In one hospital after realizing that fingerprint technology would not work in the operating room environment decided to address this problem with retinal scanners thereby using Strong Authentication for Physical Access Management.
These areas are only a small part of the HIPAA regulations and while strong authentication is one part of a strong solution most of the regulations will require the use of many tools to solve these problems over the long term. There is space for Identity and Access Management, Role Compliance, Event Management, DLP (Data Leakage Protection) but strong authentication is a key part of any HIPAA solution when dealing with this age of the Internet, a mobile society, sensitive information, patient’s rights and Global Community involvement.
Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS