Want to be HIPAA Secure? Ditch Your Passwords

Let’s face it, most passwords are not secure and that’s a huge problem when it comes to HIPAA. The HIPAA Security rules require covered entities and business associates to provide a “unique identifier” of all users in its information systems. There’s also a rule related to “authentication” which is “tech-speak” for ensuring that the person using a computer is the person they claim to be. In healthcare and in our personal lives the method most used for authentication is a username and password. Most of you know what that looks like:

USERNAME:

MyName (i’m so sneaky)

PASSWORD:

12345 (or better yet) nameofmycat (because you love your cat)

Basically, anyone who's ever chatted with you for two minutes, or seen your Facebook profile, could guess that information.

Another problem with password authentication is that it’s difficult to remember every password and username that you have for all accounts. Most of us do everything online in our personal lives and then at work it’s usually the same. Memorizing dozens of passwords is grueling so it’s common to take shortcuts, like reusing the same password for everything, or, posting passwords in notes that could be accessed by others. The problem with this is that if passwords are too simple (nameofmycat) you could be subject to a breach by dictionary attacks and other brute force methods. It’s not secure and in the healthcare industry “not secure,” could lead to HIPAA violations, fines, and a bad reputation if the wrong people hack into your system. In order to fix these issues, we need to change the way that we do passwords.

The solution is pretty simple. The ideal method for authentication is 2FA or Two-Factor Authentication. It allows your organization to reduce the need for multiple passwords with single sign-on (or 2FA/SSO). In fact, 2FA/SSO is a control that can simultaneously improve security and workflow.

Three factors to use for authentication:

• Something you know: Secret knowledge that only you know and therefore only you can reveal. E.g. a password is something you know.
• Something you have: An exclusive object used to provide the access. E.g. an ATM card or a key fob. ATM machines use “two factors” a secret passcode and a key-card. We will talk more about multi-factor authentication later in this e-brief.
• Something you are: Something unique to you as a person such as a fingerprint. This form of authentication is often referred to as biometric authentication.

Using more than one factor (2FA) for authentication is always more secure. A bank ATM card, for example, uses two factors: Something you know (a PIN) and something you have (an ATM card).

SSO, or Single sign-on is a method using software that will log into and authenticate multiple systems with the use of one very secure authentication method (2FA for example). When SSO is combined with 2FA, it can greatly reduce the number of passwords that need to be memorized down to just one. And because it’s only one, it can be a complex password. These systems don’t usually require entering the password multiple times a day, usually, users are required to enter it only once or twice a day and the “other factor,” such as a proximity card, is used for logging into and out of systems throughout the day. Logging in is quick and easy, the user just touches or taps the proximity card against a card reader and it logs the user into the system. And if SSO is included, it will log the user into most, if not all, the systems they need access. When 2FA/SSO is combined with a virtualized system, it can enhance workflow even more by allowing the user's “virtual desktop” to follow the user and remember where they were working in that last session in the room next door.

Talk to your IT vendor about 2FA/SSO solutions. Imprivata is, by far, the largest 2FA/SSO solution in healthcare. They provide an excellent product and have extremely effective implementation teams. However, they are expensive. Other vendors that are coming on strong include 2FA, Duo, and SecurAuth.

I hope this blog post was helpful in understanding how you improve the security of your healthcare organization by improving password practices. This is one control of many that your organization should implement to ensure you’re HIPAA secure.

For the other four controls you should implement, download our eBrief, 5 ePHI Protection Controls You Can Implement Right Now. There is also an printer-friendly version of the eBrief now available for print when you follow the link below.