HHS OCR Admonition To Beef Up Security Is Not Enough, Pros Say
By Christine Kern, contributing writer
OCR reminds HIPAA covered entities to tighten authentication procedures to protect data.
HHS’ Office for Civil Rights is admonishing healthcare organizations to beef up their electronic authentication methods in light of the recent uptick in cyberattacks. In its latest cyber awareness monthly update, OCR reminded HIPAA covered entities they must have reasonable and appropriate authentication procedures to verify someone seeking access to electronic protected health information is who they claim to be. This is designed to help safeguard electronic protected health information (ePHI) against compromise.
“Over the past years, the healthcare sector has been one of the biggest targets of cybercrime,” OCR noted. “Some of these cybercrimes resulted in breaches due to weak authentication, which has made healthcare entities take a second look at their safeguards and consider strengthening their authentication methods.”
According to the Person or Entity Authentication standard of the HIPAA Security Rule, covered entities and business associates must implement “reasonable and appropriate authentication procedures,” but does not outline specifically what those procedures should be.
For some security professionals, however, this warning was not enough. They suggest OCR should have pressed for broader use of multifactor authentication as a means to prevent data breaches, according to Healthcare Info Security. The warning did not specify the adoption of multifactor authentication methods.
Privacy and security expert Kate Borten of the Marblehead Group places some of the industry resistance to multifactor authentication on the vendors, stating small provider organizations “are increasingly using vendor-hosted electronic health records, and yet I see little or no effort on the vendors’ part to promote and support multifactor authentication.”
“Not only is multifactor authentication secure, but its mere existence acts as a deterrent to hackers,” Dan Berger, CEO of security consultancy Redspin, told Healthcare Info Security. “Hackers always gravitate to the easiest path — and cracking a multifactor authentication implementation is incredibly time-consuming.”
Cris Ewell, CISO at University of Washington Medicine, points out nothing can eliminate all risk, saying, “For example, if an authenticated user clicks on a message with malware and this installs a rootkit that gives full access, the adversary has the potential access to a system without multifactor authentication. Server-to-server communication is not generally controlled through the use of multifactor authentication — other than certs — and once an individual gains access, they can use service accounts to get around multifactor authentication.”