Page 20 - Layout 1
P. 20
HEALTHCARE
COVERAGE
Proving Identity– “ What I tell you three times is true “
- Lewis Carroll, the Hunting of the Snark
Ancient Problem Needs New Solution
By David Schulz
I dentity Theft is as old as the Bible: in Genesis, Jacob
purloins his brother Esau’s identity to steal his
birthright. You may recall that Rachel encouraged
her son to use two proofs of identity: to bring the nearly
blind patriarch Isaac food appropriate from a hunter, and
to wear animal hide on this arm to imitate his brother’s
hairiness. Today’s cybersecurity experts would suggest
that Rachel defeated “two-factor security,” and explains
why your phone and password may soon be insufficient
to authenticate your identity.
The Healthcare Industry, with ever-growing use of re-
mote medicine and Internet connectivity for devices ac-
cessing Protective Health Information (PHI), and facing
Health Insurance Portability and Accountability Act
(HIPAA) obligations, is woefully behind in implement-
ing Multi-factor Authentication (MFA). MFA is a lay-
ered approach to proving identity, already prevalent in
banking, shopping and some healthcare applications;
but most ‘patient portals’ still rely on only passwords. A
frightening concept when the most common passwords Isaac Blessing Jacob, Govert Flinck, c.1638. Oil paint on canvas.
in 2022 remain “12345678” and “PASSWORD.”
Why implement MFA? Because even if one factor (like your pass- tor authentication (2FA) has become necessary to other healthcare en-
word) becomes compromised (and almost all are available on the deep terprise compliance as well, including the Drug Enforcement Admin-
web for a pittance), unauthorized users will be unable to meet the sec- istration's Electronic Prescription for Controlled Substances Rules and
ond authentication requirement, ultimately stopping them from gain- the Payment Card Industry Data Security Standard (PCI DSS).
ing access to your accounts. Today, two-factor security generally According to a report released by Microsoft, by implementing
involves accessing a second device, primarily a phone, to authenticate HIPAA MFA, organizations reduce their cybersecurity risk by 99.9%.
identity but even Rachel beat 2FA four millennia ago. For PHI in a This is because the most common cause of cyberattacks stem from the
world of IoT (Internet of Things), three factor will become common use of stolen login credentials, with 81% of breaches caused by stolen
in the near future. credentials.
Three Factor Security is defined by the National Institute of Stan- What’s even more concerning is that 55% of organizations in the
dards and Technology (NIST), “something you know” (password); U.S. suffered from at least one successful phishing attack last year. With
“something you have” (phone, pad, dongle); and “something you are” only 11% of organizations utilizing MFA or 2FA, these attacks have
(fingerprint, retina scan, facial recognition). left many organizations vulnerable to data theft.
At the moment, although two-factor authentication is not required According to HHS, “It’s more important in the post-pandemic era
for HIPAA, it can help pave the way to HIPAA compliance and is for covered entities to develop and implement tighter policies and pro-
urged by the U.S. Department of Health and Human Services (HHS). cedures for authorizing EPHI access. It is crucial that only those work-
The traditional login process with a username and password is insuffi- force members who have been trained and have proper authorization
cient in an increasingly hostile healthcare data environment. Two-fac- are granted access to EPHI.” It recommends two strategies to for risk
20 SAN ANTONIO MEDICINE • September 2022
