HIPAA multi factor authentication & technical safeguards

One of the most reassuring aspects of visiting your doctor or healthcare provider is knowing that everything you discuss is confidential. You have questions about that itchy rash on your back? It stays between you and your doctor. Want to discuss hair loss or weight gain? That conversation never leaves the exam room.

But what happens when your medical records are disclosed without your knowledge?

Medical record breaches are on the rise

It happens more often than you might think. According to the HIPAA Journal, medical record breaches happen regularly and are only increasing. If breaches this year continue at the current rate, the number of medical records exposed could top 112 million, compared to 29.27 million in 2022. Most of the records stolen stem from hacking and IT incidents, featuring compromised network servers and emails.

Why are healthcare breaches so common?

Healthcare systems have large attack surfaces with vulnerabilities that criminals can easily exploit.

And full medical records are a treasure trove of critical identifying information: full name, date and place of birth, social security number, physical and email addresses, and credit card information. Complete records can net as much as $1,000, making healthcare systems enticing targets.

Another cause for concern is that healthcare organizations lag behind other industries in cybersecurity preparedness.

IBM's 2023 Cost of a Data Breach Report indicates that healthcare organizations take longer to detect a data breach: 231 days compared to 204 in other industries.

Containment times are also longer, at 92 days compared to 73 days across other industries.

Last and worst of all, the impact on the business’s bottom line is catastrophic. The average cost of a healthcare data breach is nearly $11 million, compared to $4.45 million across industries.

HIPAA access control policy provides a security framework

What can healthcare organizations do to tighten up security and safeguard sensitive, protected personal and health information? It starts with the HIPAA Security Rule and HIPAA Technical Safeguards.

What does the HIPAA Security Rule protect?

Think about visiting the doctor. When you arrive, you check in with a receptionist. They verify your name, birth date, mailing address, and payment information, and they may also process your copay using your credit card. Next, a medical assistant or nurse comes in and takes your vitals and health history, which they enter into your electronic medical record via a tablet or computer. Then, when you see the doctor, they type notes and treatment plans into your medical record. Finally, when you leave, you check out with another person who also accesses your record to schedule future appointments and print a visit summary. In a single visit, at least four different people accessed your medical records.

Protecting your medical data during this type of routine access to medical records is just one of the many instances that HIPAA access control seeks to address. The HIPAA Security Rule establishes standards to protect patient data at every level, from administrative to physical to technical, to protect health information.

Compliance with HIPAA Technical Safeguards

Flowing from the HIPAA Security Rule, HIPAA technical safeguards cover the technology, policies, and procedures that protect electronic medical records. While the HIPAA Security Rule requires compliance with technical safeguards, it also allows organizations the flexibility to determine which technical security measures to implement. A few of the standards that drastically enhance security are: Person or Entity Authentication, Access Control, and Audit Controls.

HIPAA multi-factor authentication

We’ve already seen how often healthcare providers access records during routine visits. It sounds obvious, but this is why it’s critical to ensure that the people or entities seeking access to records have the right to do so.

Person or Entity Authentication seeks to do just that by verifying identity. We often think of user credentials (username and password) to help confirm identity, but credential compromise is frequent.

An important step towards compliance is HIPAA multi-factor authentication (MFA). Also known as two-factor authentication (2FA), it provides an additional layer of authentication to secure access to personal information and medical records. HIPAA MFA requires multiple steps of authentication before granting access to sensitive data. For example, your physician might be required to provide a username and password, along with a second factor, such as a one-time code, before gaining access to your medical record.

This additional layer of HIPAA security helps prevent unauthorized access to data. So even if an unauthorized user has a valid username and password, they can’t access protected health information (PHI) without also providing the second factor. Not only does HIPAA 2fa assist with compliance fulfillment, but it’s also just good sense to raise the level of security with two-factor authentication for healthcare.

HIPAA access controls

In addition to authenticating a user’s identity, there are other important steps to take to meet HIPAA technical safeguards. Several of the main areas of oversight fall under the broader umbrella of HIPAA Access Control Policy, which includes Unique User Identification and Automatic Logoff.

Unique user identification

Unique User IDs are special names or numbers that are assigned to identify and track individual users. These are often called a “Logon Name” or “User ID.” These unique credentials help ensure that a person is whom they say they are, and that they are allowed to access the data they’re seeking.

This helps secure data by eliminating shared logins and passwords, thus ensuring correct user identification. It also prevents logins from being compromised by threat actors, either internally or externally.

Security solutions like UserLock can be set up to allow or deny access based on contextual factors, such as location, workstation, device, and time. This prevents unauthorized users from circumventing the system to gain access to sensitive health information.

Automatic logoff

When a system has Automatic Logoff enabled, it terminates a user’s session after a set amount of time. IS Decisions research has shown that 62% of healthcare workers aren’t automatically logged off of the network after a set period of inactivity. It’s compelling evidence that logoff procedures should not be left to the user to remember.

Automatic logoff effectively ensures data security by shutting down access on an inactive workstation or device. With UserLock, IT admins can ensure both Unique User Identification as well as Automatic Logoff to enhance data security.

HIPAA audit controls

Audit Controls exist to record and examine activity related to electronically protected health information. For example, UserLock records, centralizes, and audits network logons. In the unfortunate case of a breach, this type of oversight is useful because logs can be reviewed after an event to support IT forensics. In addition, Audit Controls help manage user access by confirming a user’s identity and making them accountable for malicious activity.