DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule consists of a series of safeguards to protect the confidentiality, integrity, and availability of ePHI. These safeguards can be divided into three groups: administrative safeguards, physical safeguards, and technical safeguards. Technical safeguards include access controls, audit controls, integrity controls, authentication controls, and transmission security controls. This article describes authentication controls.
What is Authentication?
Authentication is the verification of the identity of a user or other entity as a prerequisite to allowing access to computer resources. Per HHS guidance, authentication is “the corroboration that a person is the one claimed.”
This corroboration of one’s identity is the prerequisite to allow access to resources (e.g., computer systems, data) to only those authorized for such access. The classic model of authentication involves the presentation of credentials which typically includes an identifier (e.g., username) and one or more authentication factors. Historically, three factors form the cornerstones of authentication: Something you know (e.g., password, personal identification number (PIN); something you have (e.g., smart ID card, security token); and something you are (e.g., fingerprint, facial recognition, other biometric data).
Single-factor authentication requires only one of the factors listed above, usually a password (e.g., something you know). Multi-factor authentication requires the use of two or more distinct factors. Two-factor authentication is multi-factor authentication where two distinct factors are required. Authentication that requires a user to present multiple instances of the same factor is not multi-factor authentication. For example, an authentication process requiring a password and PIN is not multi-factor authentication because both factors are “something you know.”
What are the Risks of Not Using Multi-Factor Authentication?
According to the HHS guidance, remote access to a covered entity's information systems and ePHI may present a greater risk than access in person. Therefore, stronger authentication processes (e.g., multi-factor authentication) may be a particularly sound practice when permitting or expanding remote access to reduce these risks to a sufficiently low level. In addition, tools that support a covered entity's or business associate's technology infrastructure, such as virtual machine managers or storage area network tools, may present additional risks to the confidentiality, integrity, and availability of ePHI of accessed by unauthorized individuals, thus warranting the use of multi-factor authentication.
This is not to say that multi-factor authentication should only be deployed when a heightened risk is present. The federal agency known as CISA (Cybersecurity & Infrastructure Security Agency) recommends that organizations consider implementing multi-factor authentication on ALL Internet-facing systems, including (but not limited to) email, remote desktop, and Virtual Private Networks (VPNs).
Further Resources
- https://compliancy-group.com/hipaa-multi-factor-authentication-requirements/
- https://www.hipaajournal.com/hipaa-password-requirements/
- https://405d.hhs.gov/Documents/405d-have-you-heard-mfa.pdf
- https://www.hhs.gov/sites/default/files/two-factor-authorization.pdf
- https://405d.hhs.gov/Documents/tech-vol1-508.pdf - Small-Organizations Cybersecurity Best Practices - MFA is mentioned several times in regards to Email Access, Role Based Access, VPN, etc.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article