10/07/2014 / 0 Comments
Understanding HIPAA Compliance Requirements for Access Control and Authentication
For covered entities and business associates in healthcare, meeting HIPAA person or entity authentication requirements is critical to achieving and maintaining compliance, but it is also a fundamental step in implementing best practices that will ensure the strongest possible security for protected health information.
In this article, we explore the HIPAA requirements for access controls and person or entity authentication, analyze the vulnerabilities and weaknesses of most authentication methods, and identify an authentication solution that not only meets but exceeds HIPAA standards and makes it virtually impossible for anyone to gain unauthorized access to health information.
The requirements for person or entity authentication can be found in Security Standards for the Protection of Electronic Personal Health Information: Technical Safeguards – § 164.312 of the amended U.S. Health and Human Services Regulations as of January 2013.
Two subsections of the Technical Safeguards focus specifically on access control and secure authentication to protect electronic health information:
NOTE: The above summary contains selected excerpts. For the full text, see Security Standards for the Protection of Electronic Personal Health Information: Technical Safeguards – § 164.312 of the amended U.S. Health and Human Services Regulations as of January 2013.
HIPAA Access Control Requirements
In the case of access control, this is a standard element of data security and means that access to electronic protected health information will be restricted through a login and authentication method. Thus, a login mechanism is used to secure and control access to information, and only persons who have been granted the required access rights can log into information systems containing the protected data.
There are two fundamental HIPAA requirements for implementing access control. One is assigning a unique user name or number for identifying and tracking user identity, which is a fundamental component of virtually any login and authentication method. The other is establishing procedures for gaining access to electronic health information in the case of an emergency, which extends beyond login and authentication procedures and potentially into additional access rights, backup systems, and mechanisms to allow healthcare personnel or business associates to access information in the case of an emergency.
Two additional elements are not required but are considered “addressable” and were given careful consideration as possible requirements before the final HIPAA regulations were published.
One is to implement automatic logoff procedures that will terminate a login session after a predetermined period of inactivity. This is to ensure that access is still secured in cases when someone may walk away from a computer or system, thus creating an opportunity for an authorized user to use that same workstation or interface to access protected information.
The other is the proposed optional use of encryption as a means of providing access control. In this case, file encryption is considered an acceptable method of denying access to information in a particular file and not as a mean of controlling user access to information systems more generally.
HIPAA Authentication Requirements
Another core component of HIPAA compliance is person or entity authentication. The regulations call for covered entities and business associates to implement procedures that verify that a person or entity seeking access to electronic protected health information is the one claimed. This means that a system must provide a means of identity verification and corroborate the identity of the person or entity that is attempting to access protected data.
Originally, HHS had proposed four specific verification methods that would be included with this requirement:
In its final rule, however, HHS provided only a general requirement and did not stipulate these specific methods as requirements or as the only methods that might ensure compliance.
This offers covered entities and business associates freedom in selecting and choosing their preferred authentication methods, but it also leaves them without specific guidance. And this freedom does not mean that the method you choose will ensure compliance or avoid serious risks and vulnerabilities that could prove costly if protected information is not appropriately safeguarded.
Assessing the Vulnerabilities of Authentication Methods
In examining potential solutions to meet HIPAA requirements for access control and especially for authentication, security is the most important factor.
Any security breach through an authentication method’s failings or vulnerabilities could place a covered entity or business associate at serious risk of fines and sanctions from HHS, and create legal liabilities from the exposure of patient information to unauthorized parties.
Why Passwords Should Never Be Used in Authentication
Unfortunately, while HHS may have considered a password system as a potential method to ensure authentication compliance, any password-based method is highly insecure. The use of passwords and other sensitive credentials for authentication opens up entities to a litany of potential cyberattacks that can compromise systems and protected health information.
Hacking, malware, phishing schemes, man-in-the-middle attacks, and SQL injections have all been used to successfully defeat password-based login methods across a wide range of industries, and even in cases involving Swiss banks, who are otherwise known for having some of the strongest cybersecurity in the world.
Moreover, the continued use of passwords and other sensitive login credentials invites attacks because one of the primary incentives for cybercriminals is the prospect of compromising a user account and using it to gain unauthorized access to services and deploy tools that can be used to steal entire databases of user information and sensitive data from servers.
If passwords are used during the entry of login information, are transmitted to the server to verify identity, or are stored on the server for any reason, then they can easily be stolen or will inevitably be a potential target for cyberattacks.
Why Telephone Callbacks and Tokens are Not Viable Options
Telephone callback systems provide another means of potential user authentication, but, if users use smartphones for this purpose, it may rely on the security of mobile networks, which is never a certainty. It would also require access to a mobile network, which is not always possible inside certain buildings or structures or when traveling overseas. As an alternative, the user may use a land line telephone, but this could be a shared line and may not be completely private or secure.
In the case of token-based authentication methods, an SMS code is typically required for authentication. This usually means that an ID and password combination are still used, thus perpetuating the risks and problem associated with password-based methods.
Moreover, while requiring that a user have a mobile device to receive an SMS access code is better than only relying on a password alone, the SMS method has already been exploited by attackers through multiple methods, and, much like telephone callbacks, it requires access to a mobile network. It also requires that the code be re-entered through the login screen, which means that these code entries are susceptible to interception in transit and that the SMS method is potentially vulnerable to malware, SIM card cloning, and man-in-the-middle attacks.
An alternative to this is the hardware token method, which typically requires users to enter an ID and password for their login and then authenticate using a USB hardware token that is connected to a computer. This is problematic in its continued reliance on passwords, and hardware tokens are not immune to the risks of hacking.
They are also often unusable for access to information systems through mobile devices such as tablets or smartphones. Since mobile devices are typically not equipped with the standard USB ports required for hardware token authentication, this method is limited and can potentially be a significant obstacle to access.
Why PIN and Biometric Methods Provide the Best Possible Security
In contrast, a PIN and/or biometric method offers a better option for authentication because it relies on security principles that are similar to those used in smartcard technologies. In the case of smartcards, a PIN typically protects access to a private key that is stored on a microchip implanted on the card. The entry of the PIN requires the user’s knowledge, and this, combined with physical possession of the card, confirms identity and rightful ownership of the smartcard. This allows the card to digitally sign an authentication challenge, and the successful completion of this challenge allows the secured system to grant access.
In the case of software authentication for healthcare information systems, the user’s knowledge of a PIN and/or the user’s biometric identifier, like a fingerprint, can be combined with something that only the user possesses, like a mobile device, to verify identity. Just as knowledge and possession verifies identity for the purposes of completing an authentication challenge with a smartcard, the combination of knowledge and possession or knowledge and biometrics, or the combination of all three, can be used to confirm identity and authorize access to protected health information.
As data security experts and IT industry leaders have declared the death of the password and called for a move into newer and more secure authentication methods, such as two-factor authentication, these principles of knowledge, possession, and biometrics are now leading the way, and the solutions that rely on these factors will likely become the standard requirements for compliance with a wide range of data security regulations.
Achieving HIPAA Authentication Compliance with Mobile PKI Authentication
Using the principles of knowledge, possession, and biometrics, PIN and/or biometric authentication can be deployed using public key infrastructure (PKI) with mobile technology that supports access from all devices, eliminates the use of passwords or other sensitive credentials during the login process, and makes it physically impossible for attackers to compromise user accounts. Using this approach, covered entities and business associates can be assured that they are not only meeting HIPAA compliance requirements but even exceeding them and staying ahead of future developments in data security.
With mobile PKI authentication, no password or sensitive credential is entered during a login, transmitted, or stored on a server. So there are physically no credentials for cybercriminals to steal, and thus they cannot use stolen credentials to gain access to user accounts, deploy malicious tools, or gain unauthorized access to protected health information.
With PKI authentication, users can verify identity using a PIN or passcode that is entered into a mobile app that is used for authentication. The PIN or passcode verifies rightful ownership of a 2048-bit encrypted private key that is stored on the mobile device using a patented SafeKey mechanism that prevents brute force attacks.
Optionally, users can use a biometric method to verify their ownership of their private key using Apple’s Touch ID fingerprint scanning technology. Or, for added security, this biometric can be combined with the PIN or passcode to create a truly multi-factor authentication method.
For more details on PKI authentication, how it compares to other authentication methods, and how it can be implemented and integrated with existing systems, websites, networks, and services, please see our blog post, “Choosing the Best and Safest Two-factor Authentication Method”.
Compliance without Sacrificing Usability
Of course, in implementing data security, usability is also important. A method that delivers strong access and authentication security but imposes burdens on authorized users is not ideal. It must still provide quick and convenient access to health information whenever and wherever it is needed.
So the key is to implement access controls and accompanying authentication that will deliver powerful security but still be simple and easy to use.
Thankfully, with mobile PKI authentication, users can log in and authenticate their identity in seconds. Only one entry into the login screen is required, and authentication is completing using just a few taps on their mobile device.
Best of all, passwords and sensitive credentials are never required or used for logins or authentication, and this also means that users no longer have to remember or use long, complicated passwords.
Users can self-enroll and use a single user ID and authentication account to securely log in and authenticate for any service protected by this method. It can easily be deployed as a single sign-on across all applications, networks, websites, and other services.
Mobile PKI authentication can also be integrated in the cloud or as an on-premise solution that operates on an entity’s own infrastructure, behind its own firewall, with centralized administration, auditing, and reporting.
Learn More about PKI Authentication for HIPAA Compliance
To learn more about mobile PKI authentication, please watch our video or visit our website at https://www.secsign.com/. Our cryptography experts and security engineers can provide expert consultation and implementation support to help you choose and implement the best possible security for HIPAA access control and person or entity authentication.
SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a leader in cryptography and data security solutions and developer of access control and authentication technologies for organizations such as IBM, Johnson & Johnson, Siemens, Fujitsu, T-Systems, BMW, and Audi.
Want to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
Product Support
I am Interested in