User Authentication Strategies
Health Data Management Magazine, 01/01/2010
Some health care organizations have yet to take significant action to comply with the original HIPAA privacy and security rules, which were never vigorously enforced. Now that those rules have been beefed up under the American Recovery and Reinvestment Act, with increased enforcement and tougher penalties, many observers expect more hospitals, physician groups and others to gear up their data security assurance efforts.
"ARRA has given renewed focus on privacy and security, but many are not yet in compliance with the original HIPAA rules, much less the updated ones," says Kate Borten, president of the Marblehead (Mass.) Group, a security consulting firm.
Advertisement
Under the updated rules, state attorneys general now have the right to enforce the HIPAA privacy and security regulations. Plus, those harmed by a security breach can seek financial damages, Borten says. "I can just see the lawyers getting ready," she says. "We are going to see a real ramping up of complaints now as a result of all the changes."
Two Key Steps
Of course, the best way to comply with the privacy and security rules is to make sure only authorized individuals have access to patient information. Borten argues that all organizations should encrypt all patient data and adopt two-factor user authentication, such as a password paired with a fingerprint scanner. But she contends that many-perhaps most-organizations have yet to take either step.
And any data security effort should start with a thorough risk assessment, as required under federal law, notes Eric Nelson, privacy practice leader at the Lyndon Group, a Newport Beach, Calif.-based consulting firm.
What technologies are needed to ensure patient data is secure depends on the size of the organization, Nelson says. "A small group practice where only a few people have access to the information probably doesn't need a high-tech security solution," Nelson says. "It could be as simple as encrypting the information on the computers and installing locks on the doors. A large organization is a completely different matter."
The updated federal regulations, in fact, do not specify the security technologies providers must use. "The law says that if you don't want to have to notify the government of security breaches, then you should use new technologies to prevent breaches," Borten notes. "But I regret that the law doesn't require the use of the technologies."
As they ramp up efforts to implement clinical information systems, many hospitals, clinics and other provider organizations are investing in a variety of user authentication technologies to help safeguard clinical information. These include:
* biometric systems, such as fingerprint scanners, iris scanners or palm vein pattern detectors;
* hardware tokens, small devices, often in the form of a key fob, that generate random passwords that then must be typed;
* proximity badges containing chips that, when placed next to a reader, automatically confirm the user's ID;
* phone-based authentication, which uses a clinician's telephone, cell phone, pager or PDA to help verify their identity; and
* adaptive authentication, which uses specialized software to assess a user's risk potential and pose a series of questions based on personal information they've provided.
In many cases, providers are pairing two-factor authentication with single sign-on systems, which enable physicians, nurses and others to access all appropriate systems once they authenticate themselves.
Three-pronged Strategy
At 442-bed Southwest Washington Medical Center, Vancouver, physicians and nurses use one of three different authentication systems. Most still use a user name and password to gain access to clinical data. Many who work in critical care areas rely on fingerprint scans, while those working in other departments are phasing in use of proximity badges, says Christopher Paidhrin, security compliance officer.
All these approaches are paired with a single sign-on system that enables doctors and nurses to avoid signing on with different passwords to dozens of different clinical systems, the security officer says. The hospital uses a single sign-on system, along with the authentication technologies, from Imprivata Inc., Lexington, Mass.
When phasing in authentication technology, the hospital started by implementing about 200 fingerprint scanners in its intensive care unit, emergency department and other critical care areas where clinicians need rapid access to information, Paidhrin says.
By quickly scanning their finger, clinicians get virtually instant access to all relevant clinical information systems, he notes. "In these areas, the savings of seconds can mean the difference between life and death," Paidhrin says.
While some organizations pair a fingerprint with a password to create two-factor security, Southwest Washington skipped the password step to speed access, the security officer notes. "We use the fingerprint scanners mainly in secure areas, and we have only a very limited number of fingerprints authenticated," he notes.
But when the hospital wanted to beef up clinical information security in other departments, it decided to use a lower-cost, two-factor approach involving proximity badges, Paidhrin notes. That's because caregivers in other departments could afford to wait a few seconds to access a system, he notes. Plus, the proximity badge readers cost half as much as the fingerprint readers.
So far, the hospital has ID badge readers on about 300 of its 2,200 computers, but that amount will triple this year, Paidhrin predicts. Everyone who works at the hospital has a photo ID badge that contains a chip. They already were using the badge for such purposes as gaining access to restricted areas of the building. Now, some clinicians also can swipe the badges near a computer reader to verify their user ID, and then enter a personal identification number to access the clinical systems they're authorized to see.
The hospital rejected using hardware tokens because they feared too many users would lose the devices "People don't lose their ID badges" Paidhrin contends. The hospital also worried that users would find tokens cumbersome to use because they require typing in the new password displayed on the device.
Page 1 of 3.
