Multi-Factor Authentication Gets a Boost

Advisers Endorse Requirement for HITECH Stage 3
Multi-Factor Authentication Gets a Boost

A federal advisory group has endorsed requiring multi-factor authentication in certain cases for Stage 3 of the HITECH Act electronic health record incentive program.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

Stage 3 is slated to begin in 2015, and rules are in the early discussion stages at the Department of Health and Human Services. HHS recently issued final rules for Stage 2, which starts in 2014 (see: HITECH Stage 2 Rules: An Analysis).

The HIT Policy Committee, which advises HHS, voted Sept. 6 to accept recommendations from its Privacy and Security Tiger Team to require multi-factor authentication in certain cases involving remote access to patient information. The authentication would have to meet NIST Level of Assurance 3 standards.

NIST Standard

The National Institute of Standards and Technology's LOA-3 specification "is appropriate for transactions that need high confidence in the accuracy of the asserted identity," according to NIST. LOA-3 specifies the use of multifactor remote network authentication, with a minimum of two-factor authentication.

The current baseline for electronic health information exchange is LOA-2, which requires a username and password.

The recommendations tackle the challenge of proving the identity of physicians and other users seeking to electronically query or exchange patient data, says Deven McGraw, Tiger Team co-chair. She is also director of the health privacy project at the Center for Democracy & Technology.

The Tiger Team had been working on its "trusted identities of physicians in cyberspace" recommendations for a few months, going back to the drawing board several times to refine its recommendations, including its definition of "remote access" (see: The Role of Robust Authentication).

Remote Access

The trusted identity recommendations endorsed by the HIT Policy Committee on Sept. 6 relate to physicians and other clinical staff who access patient records in the following specific "remote access" scenarios:

  • From outside of an organization's/entity's private network;
  • From an IP address not recognized as part of the organization/entity or that is outside of the organization/entity's compliance environment;
  • From across a network any part of which is or could be unsecure, such as across the open Internet or using an unsecure wireless connection.

The HIT Policy Committee, in accepting the Tiger Team's recommendations, advises the HHS Office of National Coordinator for Health IT, which will help devise Stage 3 guidelines, to monitor the standards-development work of NSTIC, or National Strategy for Trusted Identities in Cyberspace. NSTIC is a White House-led initiative involving collaboration with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions.

As multi-factor authentication technologies improve, "authentication will be easier to take care of," ensuring security without disrupting clinical workflow, McGraw says. "We're trying to raise the floor, not reach the ceiling" with the recommendations, she adds.

The recommendations also advise that ONC consult with NIST about future iterations of NIST 800-63-1, which includes the LOA-3 specification, to identify any unique needs in the healthcare environment that must be specifically addressed.

Finally, the Tiger Team also plans to address making authentication recommendations for patients accessing their health data at a later time, says McGraw.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.