HIPAA Multi Factor Authentication Requirements

Multi factor authentication is a means for protecting data requiring multiple login credentials to access data or a software application. HIPAA multi factor authentication, or HIPAA MFA, provides an additional layer of security to secure protected health information (PHI). Details regarding HIPAA multi factor authentication requirements are discussed below.

What is HIPAA Multi Factor Authentication?

Multi factor authentication, sometimes referred to as two-factor authentication (2FA), is a tool that is used to verify that users are who they appear to be. With a multi-factor authentication requirement, users must implement multiple unique login credentials to access sensitive data.

HIPAA Multi Factor Authentication Requirements / HIPAA MFA

For instance, when logging into your organization’s electronic health record (EHR) platform, instead of just using a username and password to access the platform, MFA would require you to input an additional unique login credential before you can access the EHR. A secondary login credential may include security questions, a one-time PIN, or biometrics.

MFA and 2FA provide organizations with an additional layer of security. This is because even if an unauthorized user has access to an employee’s username and password, the unauthorized party would be unable to access data unless they also had access to the other unique login credentials. As such, HIPAA MFA reduces the risk of an unauthorized party gaining access to your sensitive data by using compromised login credentials.

NIST categorizes credentials into three categories:

  • Something you know (like a password or PIN)
  • Something you have (like a smart card)
  • Something you are (like your fingerprint)

NIST states, “Your credentials must come from two different categories to enhance security, so entering two different passwords would not be considered multi-factor.”

For more information on NIST password guidelines, please click here.

Common Vulnerabilities That Can Be Addressed with HIPAA MFA

SANS Software Security Institute released a paper in which they identified the most common vulnerabilities in data security

The three areas of concern that they identified are as follows:

Business Email Compromise. Uses phishing attempts to obtain users’ login credentials. However, when organizations use MFA or 2FA, even when a hacker is able to steal an employee’s username and password, they are unable to access sensitive information.

Legacy Protocols. Pose a major risk to security as hackers exploit known vulnerabilities in software applications to gain access. This is why it is essential to install software patches that address vulnerabilities as they become available.

Third-Party Password Reuse. When employees use commonly used passwords, or use the same password to access multiple applications, the risk of unauthorized access grows exponentially. It was found that 73% of passwords are duplicates. Users often reuse passwords, posing serious risks to a healthcare organization that uses single-factor authentication. SANS Software Security Institute states, “This behavior is true not only between password resets but also between different sites and organizations. Even with good, strong no-reuse policies, you are still fighting against other third parties where users may have reused their passwords. Thus, if your users are reusing passwords, their security becomes your security.”

Why You Should Implement HIPAA Multi Factor Authentication

According to a report released by Microsoft, by implementing HIPAA MFA, organizations reduce their cybersecurity risk by 99.9%. This is because the most common cause of cyberattacks stem from the use of stolen login credentials, with 81% of breaches caused by stolen credentials. 

What’s even more concerning is that 55% of organizations in the U.S. suffered from at least one successful phishing attack last year. With only 11% of organizations utilizing MFA or 2FA, these attacks have left many organizations vulnerable to data theft.

Ransomware and Healthcare Organizations

With the drastic increase in ransomware attacks targeting healthcare organizations, the FBI and HHS have issued a warning to healthcare organizations.

The FBI and the HHS have provided recommendations on how healthcare organizations can mitigate the chances of falling victim to the ransomware threat.

This includes:

  • Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks; 
  • Implementing procedures to guard against and detect malicious software; 
  • Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and 
  • Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

HIPAA Protects You

Protect your business from expensive breaches and fines!