Two-factor authentication—which requires users to provide at least one additional form of identification beyond user name and password to gain access to electronic protected health information—is a relatively low-cost and effective way to meet HIPAA requirements. Yet, not enough hospitals are implementing it into their cybersecurity strategy. 

According to new data released by the Office of the National Coordinator for Health IT, less than half (49 percent) of hospitals support an infrastructure for two-factor authentication. Critical access (35 percent) and small rural (40 percent) hospitals report the lowest levels of capability. The ONC data brief for the first time makes public national and state trends in two-factor authentication among non-federal U.S. acute care hospitals from 2010 to 2014.

“As electronic health information becomes more widely available, proper security measures must be implemented to ensure the information is only accessible to those with the rights to access it,” states the data brief. “The Health Insurance Portability and Accountability Act requires covered entities to verify that a person seeking access to electronic protected health information has authorization.”

The brief notes that HIPAA “offers two-factor authentication as a possible method to provide security to ePHI” and that it is “an essential capability for providers who e-prescribe controlled substances.”

Also See: Puerto Rico BCBS Hit With 2nd Largest HIPAA Fine

While ONC reports that hospital support for two-factor authentication has increased by more than 50 percent since 2010, cybersecurity experts assert that the reported levels of adoption are still woefully short given the rise in data breaches at healthcare organizations and the fact that hackers are actively targeting the industry.      

“There is really no excuse today for not utilizing two-factor authentication. It is one of the lowest cost, highest impact things that an organization can do from a security perspective,” says Avi Rubin, professor of computer science at Johns Hopkins University and director of JHU’s Health and Medical Security Lab, established about six years ago with ONC funding.

Despite growth in two-factor authentication, ONC says use varies significantly by hospital type with the technology used far more in medium and large hospitals than smaller facilities.

Matt Patterson, M.D., president of mobile solutions vendor AirStrip, agrees that two-factor authentication is not difficult to implement and is a much-needed security strategy for healthcare organizations.

“The technology bar is actually quite low and likely not the issue,” comments Patterson. “The issue is more likely around the structural and interoperability limitations of the EHR systems in place at these hospitals to make available useful, meaningful data—and so creating access to them is not the priority.”

According to Patterson, hospitals that are least capable of supporting two-factor authentication “would benefit the most from empowering consumers and providers with convenient, immediate, and mobile access to and transfer of important electronic health information.”

ONC’s data brief is based on the 2014 American Hospital Association Annual Information Technology Survey. AHA was not immediately available for comment.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access