Healthcare organizations regularly handle patient information and must take precautions to safeguard sensitive data. Implementing HIPAA access controls and having an access management system reduces the likelihood of unauthorized access to protected health information (PHI). Access management is also one of the Department of Health and Human Services (HHS) ten recommended cybersecurity best practices.
What is HIPAA Access Management?
HIPAA access management is an integral part of security and compliance. Access management enables organizations to limit access to sensitive data through security controls. As much of HIPAA regulates the use and disclosure of PHI, access controls also tie into HIPAA.
The HIPAA Privacy Rule, in particular, requires employee PHI access to be restricted to the “minimum necessary” that allows the individual to perform their job functions. As a result, healthcare organizations must have information access management systems. HIPAA access management controls which employees can view certain information.
For example, someone working as an administrative assistant only needs access to the information required to book an appointment, such as the patient’s name, contact information, and how much time to block off for the appointment. Whereas the doctor would need access to the patient’s medical history to treat the patient, the admin would not need it for appointment scheduling.
To implement a HIPAA access management system, organizations must:
- Create unique login credentials for each employee
- Prohibit employees from sharing their login with others
- Have the ability to attribute actions to specific individuals
- Restrict access to information based on employee job function
- Amend information access for individuals that change roles within the organization
- Enforce the use of secure passwords
- Track logon and logoff activity
Establishing HIPAA Access Controls with 2FA
An essential part of implementing HIPAA access controls is user authentication. User authentication verifies that users are who they appear to be by requiring them to input unique login credentials before accessing sensitive information.
The government recommends that organizations implement two-factor authentication (2FA) to control which users within your organization have access to what information. 2FA uses multiple security factors to identify an individual, such as a username and password, in combination with a security question.
With 2FA, users must use two of the following security factors to gain access to information:
- “Knowledge” factor: a password or PIN
- “Possession” factor: a one-time access code generated by a secure mobile app
- “Inherence” factor: a biometric scan
- “Location” factor: a specific location that can verify your identity
Not only does HIPAA mandate that organizations restrict access to PHI, but it also requires authorized users to have easy access to PHI. Keeping that in mind, the most effective authentication system for healthcare organizations is a single sign-on system (SSO). SSO allows individuals to use one set of login credentials to access multiple applications, maintaining the enhanced security of 2FA while allowing for quick access to records.
HHS Cybersecurity Best Practices
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies