The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities – including health care providers, health insurance companies, and HMOs – to:
164.312(d) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
As specific methods or technologies are not mentioned in HIPAA, the HITRUST Common Security Framework (CSF) has become the most widely adopted security control framework in the U.S. healthcare industry. It leverages the National Institute of Standards and Technology’s Computer Security Division security standards (NIST 800-53) and the Payment Card Industry Data Security Standard (PCI DSS), among other standards. Three levels of security requirements are specified:
- Level 1 – Single-factor authentication (i.e. passwords) is the minimum set of security requirements for all systems and organizations regardless of size, sophistication, or complexity. Most HIPAA requirements can be met at this level, but the extreme vulnerability of passwords and the financial penalties of the Health Information Technology for Economic and Clinical Health Act (HITECH) are compelling covered entities to seek higher levels of information security.
- Level 2 and Level 3 – Two-Factor Authentication (2FA) for generating a One Time Password (OTP) is required for organizations and systems of increased risk and complexity. Even small healthcare organizations that aren’t mandated to meet Level 2 and Level 3 requirements are seeking the security of two-factor authentication, both to improve information security and reduce liability.
Deploying two-factor authentication with SurePassID is the fastest path to compliance with HIPAA, HITECH and HITRUST CSF. SurePassID’s One-Click installer is compatible with the most challenging legacy IT infrastructures. SurePassID is compatible with almost any authentication method and device, including:
- Mobile OTP (smart phones, tablets) – installed on user’s device
- Desktop OTP (desktops, laptops) – installed on user’s device
Very Low Cost:
- SMS OTP and IVR – text or call to user’s phone
- PassFaces – installed on user’s device
- Matrix Cards – Challenge-response ISO 7810-compliant printed cards; issued to users
- OneCard – World’s first all-in-one converged security credential; issued to users
- OTP Display Cards – ISO 7816-compliant smart cards with display, keypad, and mag stripe; issued to users
- OTP Keyfobs & Mini-Keyfobs - Hardware tokens; issued to users
- Third Party OTP Tokens – OATH-compliant and proprietary RSA tokens; issued to users