OCR effort fails to push multifactor authentication, critics say


A newsletter published by the Health and Human Services Department's Office for Civil Rights urging healthcare organizations to reassess their authentication methods is being criticized for failing to more strongly promote multifactor authentication.

"Over the past years, the healthcare sector has been one of the biggest targets of cybercrime," the newsletter notes. "Some of these cybercrimes resulted in breaches due to weak authentication, which has made healthcare entities take a second look at their safeguards and consider strengthening their authentication methods."

Authentication, OCR explains, requires:

  • Something you know, such as a password
  • Something you “are,” a biometric such as fingerprint, voiceprint, or iris pattern
  • Something you have, such as a smart card or token

The HIPAA Security Rule requires covered entities and business associates to implement “reasonable and appropriate authentication procedures” for access to covered business systems.It urges healthcare organizations to perform a comprehensive risk analysis to determine the appropriate type of authentication needed, whether single- or multi-factor.

However, in a Verizon Enterprise Solutions report examining breaches and security incidents experienced in the past 11 years, 63 percent of attacks involved weak, default or stolen passwords.

Despite OCR's attempt to provide information to stakeholders, privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, told HealthcareInfoSecurity that the advisory did very little to actually promote multifactor authentication.

"Mid-size providers, such as community hospitals, are more likely to be aware of user authentication risks, particularly when accessing cloud-based [electronic health record] systems," Borten said. "But they are faced with budget and resource constraints and competing priorities. And the cost of multifactor authentication can be a hard sell at the senior leadership level."

Mac McMillan, CEO of security consulting firm CynergisTek, meanwhile, told HealthcareInfoSecurity that the cost and difficulty of implementing multi-factor authentication is often overstated.