Choosing authentication types for healthcare

Featured image

Share this article

Insert text

Over the past 24 months, the healthcare sector has been one of the leading targets of ransomware attacks and identity theft online. Some of these crimes may have resulted in breaches due to weak authentication. This has caused healthcare organizations take another look at their safeguards and consider strengthening their authentication methods.

How does HIPAA affect authentication?

Authentication is a process used to verify whether someone or something is who or what it purports to be in an electronic context. Unauthorized entities or programs are prohibited from gaining access to information.

In the healthcare sector, HIPAA entities need to ensure they have strong login passwords to access information. These would include public or private networks, internet portals, computers, email, medical devices, servers, and software applications.

The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to protected health information (PHI) is the one claimed.

Utilizing the following criteria helps to ensure authentication meets HIPAA requirements:

  • Something you know (i.e., passwords, security questions)
  • Something you are (i.e., fingerprint, signature, voiceprint, or retina or iris pattern)
  • Something you have (i.e., mobile phone, SMS text codes)

What covered entitires and business associates should do

Every organization working with PHI should conduct an enterprise-wide risk analysis. In order to avoid HIPAA fines, it must be accurate, comprehensive, and thorough. By conducting a risk analysis that identifies vulnerabilities to the ePHI in their enterprises, they can identify the vulnerabilities of their current authentication methods and practices, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach (if it occurs) can impact their business and mission.

This process helps entities rate the level of the risk and determine (based on their risk analysis): if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the service or process associated with a particular authentication risk.

Consider implementing a more robust form of authentication. It should be reasonable and appropriate for their size, complexity, and capabilities. and their technical infrastructure, hardware, and software security capabilities.

Recommended methods of HIPAA Authentication:

  • Single-factor authentication: A process that uses one of the three factors (i.e. something you know, are, or have) to attain authentication. For example, password is something you know and is the only factor that would be required to authenticate a person or program. This would be considered a single factor authentication.
  • Multi-factor authentication: A method that uses two or more factors to succeed authentication. For example, a private key on a smart card that is activated by a person fingerprint is considered a multi-factor token. The smart card is something you have, and something you are (the fingerprint) is necessary to activate the token (private key).

Additional HIPAA Authentication and Security Resources:

NIST Electronic Authentication Guidelines

What is Protected Health Information (PHI)?

The Complete Guide to HIPAA Compliance

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022