As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics.  Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce.  Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals.  This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.

Multi-factor Authentication:  Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI.  You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be.  Here are the three credentials in multi-factor authentication you need to understand:

Something you know (Knowledge Factor).  This is a password, passcode, or passphrase that only you know.

Something you have (Possession Factor).  This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you.  When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.

Something you are (Inherence Factor).   This is the method of identifying yourself by one of your biological traits.  Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition.  No one else has your biological traits and therefore cannot use them to authenticate.

The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials.  These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc.  The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.

Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized.  In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.

Contact our Lead Account Executive, Theresa Zemcuznikov at theresa@hipaatrek.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location.  In the meantime, happy HIPAA trekking.