HIPAA Multi-Factor Authentication (MFA) Requirements

The HIPAA Security Rule sets clear rules to protect electronic Protected Health Information (ePHI). A proposed update to the HIPAA Security Rule would require multi-factor authentication (MFA) for any access to ePHI, potentially as early as 2026. Here's how UserLock can support HIPAA MFA requirements for on-prem and hybrid Active Directory setups.

HIPAA's proposed MFA requirement will mandate two factors of authentication to verify the identity of all users accessing systems that handle ePHI. This extra security layer helps protect sensitive healthcare data if login credentials are ever stolen or compromised, and supports compliance with the HIPAA Security Rule.

It happens more often than you might think. According to the HIPAA Journal, medical record breaches happen regularly and are only increasing. If breaches this year continue at the current rate, the number of medical records exposed could top 112 million, compared to 29.27 million in 2022. Most of the records stolen stem from hacking and IT incidents, featuring compromised network servers and emails.

And full medical records are a treasure trove of critical identifying information: full name, date and place of birth, social security number, physical and email addresses, and credit card information. Complete records can net as much as $1,000, making healthcare systems enticing targets.

IBM's 2023 Cost of a Data Breach Report indicates that healthcare organizations take longer to detect a data breach: 231 days compared to 204 in other industries.

Containment times are also longer, at 92 days compared to 73 days across other industries.

Last and worst of all, the impact on the business’s bottom line is catastrophic. The average cost of a healthcare data breach is nearly $11 million, compared to $4.45 million across industries.

What can healthcare organizations do to tighten up security and safeguard sensitive, protected personal and health information? It starts with the HIPAA Security Rule and HIPAA Technical Safeguards. The HIPAA access control policy follows a zero trust framework, focusing security at the logon.

Think about visiting the doctor. When you arrive, you check in with a receptionist. They verify your name, birth date, mailing address, and payment information, and they may also process your copay using your credit card. Next, a medical assistant or nurse comes in and takes your vitals and health history, which they enter into your electronic medical record via a tablet or computer. Then, when you see the doctor, they type notes and treatment plans into your medical record. Finally, when you leave, you check out with another person who also accesses your record to schedule future appointments and print a visit summary. In a single visit, at least four different people accessed your medical records.

Protecting your medical data during this type of routine access to medical records is just one of the many instances that HIPAA access control seeks to address. The HIPAA Security Rule establishes standards to protect patient data at every level, from administrative to physical to technical, to protect health information.

Flowing from the HIPAA Security Rule, HIPAA technical safeguards cover the technology, policies, and procedures that protect electronic medical records. While the HIPAA Security Rule requires compliance with technical safeguards, it also allows organizations the flexibility to determine which technical security measures to implement. A few of the standards that drastically enhance security are: Person or Entity Authentication, Access Control, and Audit Controls.

We’ve already seen how often healthcare providers access records during routine visits. It sounds obvious, but this is why it’s critical to ensure that the people or entities seeking access to records have the right to do so.

Person or Entity Authentication seeks to do just that by verifying identity. We often think of user credentials (username and password) to help confirm identity, but credential compromise is frequent.

While not yet an official HIPAA requirement, MFA is important to preventing unauthorized access to ePHI.

Also known as two-factor authentication (2FA), it provides an additional layer of authentication to secure access to personal information and medical records.

HIPAA MFA follows guidelines from the National Institute of Standards and Technology (NIST) on authentication, which splits authentication factors into three groups:

1. Something you know: A password, a PIN, or an answer to a security question.

2. Something you have: Physical objects such as a hardware key, token or a smartphone authentication app.

3. Something you are: A fingerprint or facial recognition (like Apple's FaceID).

This additional layer of HIPAA security helps prevent unauthorized access to data. Even if an unauthorized user has a valid username and password, they can’t access protected health information (PHI) without a valid second factor.

In addition to authenticating a user’s identity, there are other important steps to take to meet HIPAA technical safeguards. Several of the main areas of oversight fall under the broader umbrella of HIPAA Access Control Policy, which includes Unique User Identification and Automatic Logoff.

Unique User IDs are special names or numbers that are assigned to identify and track individual users. These are often called a “Logon Name” or “User ID.” These unique credentials help ensure that a person is whom they say they are, and that they are allowed to access the data they’re seeking.

This helps secure data by eliminating shared logins and passwords, thus ensuring correct user identification. It also prevents logins from being compromised by threat actors, either internally or externally.

Security solutions like UserLock can be set up to allow or deny access based on contextual factors, such as location, workstation, device, and time. This prevents unauthorized users from circumventing the system to gain access to sensitive health information.

When a system has Automatic Logoff enabled, it terminates a user’s session after a set amount of time. IS Decisions research has shown that 62% of healthcare workers aren’t automatically logged off of the network after a set period of inactivity. It’s compelling evidence that logoff procedures should not be left to the user to remember.

Automatic logoff effectively ensures data security by shutting down access on an inactive workstation or device. With UserLock, IT admins can ensure both Unique User Identification as well as Automatic Logoff to enhance data security.

Audit Controls exist to record and examine activity related to electronically protected health information. For example, UserLock records, centralizes, and audits network logons. In the unfortunate case of a breach, this type of oversight is useful because logs can be reviewed after an event to support IT forensics. In addition, HIPAA Audit Controls help manage user access by confirming a user’s identity and making them accountable for malicious activity.