Industry Insights with Emil Hozan

Electronic Healthcare Records , Governance & Risk Management , Healthcare

HIPAA Standard 164.312(d): MFA to the Rescue

How Common is it for Individuals to Remember PINs or Passwords Set by Entities Holding the Information They're Requesting?
HIPAA Standard 164.312(d): MFA to the Rescue

For organizations required to adhere to HIPAA compliance regulations, the Person or Entity Authentication (PEA) standard, section 164.312(d), lays out a roadmap of how to ensure the right person, people, or entity gets access to the sensitive data being requested. Much like with computing systems, a user is identified with a username and an associated password. PEA is no different. A person or entity presents themselves (their username) and confirms a corresponding password or PIN proving they are said person or entity.

In order for a requesting party to have authorization to said information, PEA offers HIPAA-covered entities three ways to do just this. These entities can:

  1. Require a password or PIN known only to that party
  2. Require a physical possession, such as a smart card, a key, or a token
  3. Require a unique biometric trait such as fingerprints or voice, facial, or iris patterns

Now, how common is it for individuals or even entities to remember arbitrary PINs or passwords set by entities holding the information they're requesting? It's tough enough to remember a password or PIN without writing it down, which is of course a no-no. What can be done about this, how can all involved parties adhere to this while ensuring security best practices are met?

Enter multi-factor authentication (MFA).

You might be asking what MFA has to do with this, and I will tell you it has everything to do with this. MFA is an authentication method used to validate that a user is who they say they are, similar to what a password is used for. However, MFA takes this a step further by ensuring the user has additional pieces of information to prove who they are, hence the "multi-factor" component of its name.

The three suggested verification methods can all be met in one solution - WatchGuard's AuthPoint MFA solution. WatchGuard's AuthPoint mobile app can safely store PINs. It's a mobile application and mobile devices are almost always in the possession of most individuals and can be considered as a "token" or "key." Not only that, the mobile device itself typically has some level of protection - some devices even offer fingerprint or facial recognition to unlock the device.

Gone are the days of needing to write a PIN or password down, only to lose it or have someone else pick it up. Gone are the days of needing another miniscule piece of hardware to keep track of - keeping track of your phone is tough as it is! And for users who already use their fingerprint or facial scans to authenticate to their phone, there are no extra steps needed. What's more, AuthPoint is able to uniquely identify the device it's installed on, further validating the individual(s) associated with that device. Lastly, AuthPoint constantly refreshes the associated PIN for each account. If one PIN is compromised, its shelf life is limited to mere seconds until the next PIN activates.

Humans have enough things to remember as it is and remembering yet another number or string isn't something anyone looks forward to. Using an MFA solution can help alleviate the need of remembering a unique identified.



About the Author

Emil Hozan

Emil Hozan

Security Analyst, WatchGuard Technologies

Emil Hozan is a Security Analyst at WatchGuard Technologies, focused on network security. Emil's responsibilities include quantifying threat data for WatchGuard's quarterly Internet Security Report, contributing to WatchGuard's security blog Secplicity, analyzing trends in network and malware attacks, sandboxing and testing new products and exploits, and reverse engineering malware samples.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.