In a recent newsletter, the Office for Civil Rights (OCR) encourages health care organizations to review their procedures around authentication and “ensure that they have the appropriate safeguards in place.”
The Newsletter, entitled What Type of Authentication is Right for You? states that “[O]ver the past years, the healthcare sector has been one of the biggest targets of cybercrime. Some of these cybercrimes resulted in breaches due to weak authentication, which has made healthcare entities take a second look at their safeguards and consider strengthening their authentication methods.”
According to the Newsletter, covered entities and business associates should:
- Conduct an enterprise-wide risk assessment that can identify the vulnerabilities of their current authentication methods and practices
- Consider implementing a form of authentication that is reasonable and appropriate for the size, complexity and capability of the organization
- Depending on the results of the risk assessment, consider implementing different types of authentication, including single-factor authentication or multi-factor authentication
Although the Newsletter is sparse on detail, it certainly provides a heads up on the issues that the OCR is concerned with, and covered entities and business associates may wish to consider evaluating authentication methods used and consider changing them if appropriate.