When it comes to good security (and HIPAA compliance), authentication is the lesser-known cousin to encryption. Authentication is best known in its incarnation as passwords. Authentication is much more than just passwords, however, and the HIPAA Security Rule standards hold it up high as a security concept of great importance.
Authentication is the process of proving you are who you claim to be. In small human communities, it is performed by recognizing people’s faces, voices, the gaits of their walk, and much more. Humans are very good at authenticating identity so long as we’re right next to each other.
When we started living in big communities or far away from each other, we discovered the need to develop less intuition-focused methods of authentication. A popular method we use these days is to carry documents that are issued by a trusted certifying authority, e.g. your state Department of Motor Vehicles (driver’s licenses) or the federal State Department (passports.)
On computers, we have classically used the pairing of usernames and passwords to achieve this purpose. When I go to a website, I tell it that I am Roy Huggins. I also tell it my password. The website then compares the password I gave it to the password it has on file for “Roy Huggins.” If they match, the website believes my claim that I am Roy Huggins and allows me access to everything to which Roy Huggins has access. This is how it is done for everything from tiny hobbyist sites to big banking websites.
Nothing can possibly go wrong with that plan, right?
Astute readers will note that quite a few things can go wrong with it. Let’s look at a few of those wrong things and also look at the HIPAA standards that address them.
1) Guessing/Finding/Cracking Your Password
This is the obvious problem. A weak password, or a weakly protected password, can get into the hands of a bad guy who uses it to log in to your accounts. Mayhem ensues and we have a bad day.
For this one, HIPAA Security simply requires us to have written password management policies that describe how to create strong passwords and keep them safe. Best practices include changing passwords regularly and ensuring that every site or device we use has a different password. That last one is practically impossible if you don’t use tools to help you. That’s why security experts often recommend using password management programs to help keep passwords strong, unique, and easily accessible to just you.
The issue of passwords getting guessed or cracked should also be directly addressed in our security risk analyses. That helps us get a better idea of how our passwords can become vulnerable.
Another best practice that is not addressed in HIPAA is to use “2-factor authentication” wherever possible. 2-factor authentication would have you use a password + some other authentication factor. The most common form of 2-factor authentication is to first type in your password, and then receive a text message with a code in it. You then type in the code and, “voila!” you’re into the site.
HIPAA does not explicitly require 2-factor authentication, but it is quickly becoming an indispensable best practice.
2) Passwords Getting Shared
Sharing passwords isn’t always a problem, but it is when you’re sharing passwords to practice resources. Making sure everyone has their own account is part of the authentication process. Imagine duplicating your drivers license and giving it to one of your unlicensed friends — it would likely cause some “confusion” (at best.)
For this reason (and others — see below), HIPAA’s Security Rule requires that everyone who uses a PHI-handling service or device has their own personal account on it. This is often called the “unique login” requirement.
Unique logins let us do things like set our electronic record systems to only allow therapists to see the records of their own clients. Or we can permit front desk people to view client demographics and contact information, but not diagnoses or progress notes. To HIPAA, this differentiation is very important. The workforce management standards of HIPAA’s Security Rule largely rely on unique logins to work, because those standards are heavily focused on controlling who has access to what information.
3) Access Logs Getting Muddled
HIPAA’s Security Rule has a lovely-sounding standard called “Information System Activity Review.” It’s a tough one for non-techies to comply with. However, one of the most important (and doable) parts of that standard is regularly reviewing access logs to see if anyone is doing something they shouldn’t be doing.
Any online service that is designed to be used by health care professionals should provide you with the ability to see a log of who has signed in to the service and when they signed in. Well-designed services will also let you see what that person did while they were there. For example, the more advanced online record-keeping services will let you see who logged in (and when), which clients’ records they looked at, which records they created or edited, and anything else of interest that they may have done while logged in.
Reviewing the access logs on important services is required for HIPAA compliance. Doing so accomplishes two things:
- It lets you see if someone in the practice is doing anything they shouldn’t be doing. Keep in mind that sometimes this happens simply because the person needs more training on what is appropriate and what isn’t. Other times, it means they might be acting maliciously. That’s not a fun thing to think about, but misuse of systems by people who are authorized to access them is one of the bigger sources of security breaches in American health care.
- It lets you see if someone’s account has been hacked. Let’s say you notice that “Roy Huggins” logged in to the EHR while he was supposed to be on vacation. So you ask him about that, and he confirms that he was, in fact, out of town and never logged in to the EHR. Now you know that his account was probably hacked. Ideally, the access logs will give you enough information to know what the hacker did and you can take action as soon as possible.
In example 2 above, the access logs would be a lot less useful if Roy and another employee were sharing passwords for the same account. If that were the case, then the hacker’s activity would likely go unnoticed among all the different people using that same account.
Conclusions
Use strong passwords, make them unique, don’t share them, and use 2-factor authentication when you can. Adopt password management programs to help you do all this (you’ll be glad you did — trust me.) Also keep in mind that HIPAA wants you to watch those online access logs for signs of trouble. Happy authenticating!