Multi-Factor Authentication Gets a BoostAdvisers Endorse Requirement for HITECH Stage 3
A federal advisory group has endorsed requiring multi-factor authentication in certain cases for Stage 3 of the HITECH Act electronic health record incentive program.
Stage 3 is slated to begin in 2015, and rules are in the early discussion stages at the Department of Health and Human Services. HHS recently issued final rules for Stage 2, which starts in 2014 (see: HITECH Stage 2 Rules: An Analysis).
The HIT Policy Committee, which advises HHS, voted Sept. 6 to accept recommendations from its Privacy and Security Tiger Team to require multi-factor authentication in certain cases involving remote access to patient information. The authentication would have to meet NIST Level of Assurance 3 standards.
The National Institute of Standards and Technology's LOA-3 specification "is appropriate for transactions that need high confidence in the accuracy of the asserted identity," according to NIST. LOA-3 specifies the use of multifactor remote network authentication, with a minimum of two-factor authentication.
The current baseline for electronic health information exchange is LOA-2, which requires a username and password.
The recommendations tackle the challenge of proving the identity of physicians and other users seeking to electronically query or exchange patient data, says Deven McGraw, Tiger Team co-chair. She is also director of the health privacy project at the Center for Democracy & Technology.
The Tiger Team had been working on its "trusted identities of physicians in cyberspace" recommendations for a few months, going back to the drawing board several times to refine its recommendations, including its definition of "remote access" (see: The Role of Robust Authentication).
The trusted identity recommendations endorsed by the HIT Policy Committee on Sept. 6 relate to physicians and other clinical staff who access patient records in the following specific "remote access" scenarios:
- From outside of an organization's/entity's private network;
- From an IP address not recognized as part of the organization/entity or that is outside of the organization/entity's compliance environment;
- From across a network any part of which is or could be unsecure, such as across the open Internet or using an unsecure wireless connection.
The HIT Policy Committee, in accepting the Tiger Team's recommendations, advises the HHS Office of National Coordinator for Health IT, which will help devise Stage 3 guidelines, to monitor the standards-development work of NSTIC, or National Strategy for Trusted Identities in Cyberspace. NSTIC is a White House-led initiative involving collaboration with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions.
As multi-factor authentication technologies improve, "authentication will be easier to take care of," ensuring security without disrupting clinical workflow, McGraw says. "We're trying to raise the floor, not reach the ceiling" with the recommendations, she adds.
The recommendations also advise that ONC consult with NIST about future iterations of NIST 800-63-1, which includes the LOA-3 specification, to identify any unique needs in the healthcare environment that must be specifically addressed.
Finally, the Tiger Team also plans to address making authentication recommendations for patients accessing their health data at a later time, says McGraw.