Healthcare providers should consider multifactor authentication to better protect their data, according to speakers participating on a recent webinar hosted by HealthcareInfoSecurity.com. The message is particularly relevant in light of a recommendation by the Office of the National Coordinator for Health IT's HIT Policy Committee calling for multifactor authentication as a requirement in Stage 3 of Meaningful Use.
Most entities at present use one form of authentication, such as a password. But authentication also can be something you have, such as a smartcard, or something you are, such as a fingerprint, many of the webinar's speakers stressed.
"A password or PIN is the weakest form of authentication," said Robert Craig, a senior product marketing manager for identity for Santa Clara, Calif.-based computer software security company McAfee.
Craig suggested that entities looking at choosing a second form of authentication should consider:
- The cost for tokens or licenses
- How authentication will be managed
- The enrollment process
- Other requirements, such as HIPAA
- Whether the form is convenient and easy for end users.
For instance, biometrics are accurate and available on mobile devices, but may not be compatible with one's existing hardware or software. They also can create false positives, such as face recognition of twins or people scanning a photo of someone they're trying to impersonate.
Hardware tokens are the most typical form of additional authentication, and they're highly secure, but are limited to a single application and more complicated to install and retrieve. Software tokens, which can be installed on a PC or mobile device, may be a more flexible option. "They're low cost. Everyone has a cell phone," Craig said.
ONC specially asked for comments on multifactor authentication in its request for comment in its proposed recommendations.
To learn more:
- learn about the webinar