The Role of Robust AuthenticationFederal Advisers Ponder Multi-Factor Requirement
A federal advisory committee has expressed support for the concept of eventually requiring multi-factor authentication for clinicians and other individuals involved in certain riskier electronic health information transactions. But first, it's looking into how to specify which transactions would require the enhanced authentication.
See Also: 2016 State of Threat Intelligence Study
Riskier transactions might include, for example, those involving clinicians in remote locations using mobile devices.
At its Aug. 1 meeting, the HIT Policy Committee expressed initial support for a Privacy and Security Tiger Team recommendation that NIST 800-63 Level of Authentication-3 credentials should be phased in for riskier electronic transactions (see: How to Authenticate Physicians' IDs). The committee helps develop policies for the Department of Health and Human Services.
Tiger Team Co-Chair Deven McGraw outlined the team's recommendations for trusted identities of healthcare providers in cyberspace. The recommendations tackle the challenge of proving the identity of physicians and other users seeking to electronically query or exchange patient data, such as through a health information exchange.
The National Institute of Standards and Technology's LOA-3 specification "is appropriate for transactions that need high confidence in the accuracy of the asserted identity," according to NIST. LOA-3 specifies the use of multifactor remote network authentication, with a minimum of two-factor authentication.
The current baseline for electronic health information exchange is LOA-2, which requires a username and password.
The aim of the Tiger Team's clinician authentication recommendations, McGraw says, is to create "an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities."
More Work To Do
The next step for the Tiger Team is to identify specific scenarios where the use of LOA-3 would be appropriate, says McGraw, who is also director of the health privacy project at the Center for Democracy & Technology. However, the team is also mindful that overly burdensome requirements that greatly interrupt clinicians' workflow could encourage work-arounds.
McGraw expects the team will provide an update on high-risk scenarios that merit LOA-3 at the Sept. 6 meeting of the HIT Policy Committee.
When asked by a committee member how the recommendations could be carried out, McGraw said there were several possibilities, including modifying the HIPAA security rule. The Tiger Team also is recommending that LOA-3 be required for riskier transactions under the yet-to-be-developed rules for Stage 3 of the HITECH Act electronic health record incentive program.