Similar to the United States’ HIPAA law, the General Data Protection Regulation (GDPR), enacted in 2016, protects Europeans’ personal data. HIPAA and GDPR require many of the same safeguards in regards to the handling of protected health information (PHI), one of which is security controls.
Employee Snooping Causes GDPR Fine
In the Netherlands, a $516,000 fine was issued as a result of an employee accessing the file of a famous Dutch person. Samantha de Jong, a Dutch reality TV star, was a patient of Haga Hospital in The Hague. The reality TV star’s patient file was accessed by dozens of employees without authorization.
The Dutch Supervisory Authority, which is responsible for investigating data breaches found that the hospital failed to implement multi-factor authentication, as required by law. The agency stated, “To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before Oct. 2, the hospital must pay 100,000 euros every two weeks, with a maximum of 300,000 euros.”
Both HIPAA and GDPR laws require access management to be in place to ensure that sensitive information can only be accessed by authorized personnel.
What is Access Management?
Access management controls which individuals can view certain information. For example, someone working in the billing department doesn’t need access to patient medical records, just as nurses don’t need access to patient’s financial information.
An organization must:
- Give users unique login credentials
- Restrict users from sharing their login information with others
- Have the ability to attribute actions to specific individuals
- Restrict network access based on their job function
- Review network access for individuals who change roles within the organization
- Enforce the use of secure passwords
- Monitor logon and logoff activity
Access Management Using Multi-factor Authentication (MFA)
The General Data Protection Regulation (GDPR) requires that organizations implement multi-factor authentication (MFA) to control which users have access to what information. MFA uses multiple security factors to identify an individual, such as a password in combination with a biometric scan.
Users must use two of the following security factors to gain access to information:
- “Knowledge” factor: a password or PIN
- “Possession” factor: a one-time access code generated by a secure mobile app
- “Inherence” factor: a biometric scan
- “Location” factor: a specific location that can verify your identity
The most effective authentication system for healthcare organizations is a single sign-on system (SSO). SSO allows individuals to use one set of login credentials to access multiple applications, maintaining the enhanced security of MFA while allowing for quick access to records, satisfying HIPAA and GDPR regulations.
Do You Need Help Addressing HIPAA Requirements?
Compliancy Group can help simplify your compliance allowing you to confidently focus on your business. Our cloud-based compliance software the GuardTM can be accessed from any device connected to the internet. In addition, the Guard stores all that you need to prove your “good faith effort” towards compliance in one convenient location. Find out more about how Compliancy Group can help you with your HIPAA compliance needs!