Authentication is proving you are who you say you are. This is typically done with a username and password. However, this is not a very secure method. Usernames can be easily guessed or are just your email address. Passwords can provide a measure of protection, but they have their limitations. Due to the vast number of accounts that require passwords, people are using password manages, saving their password in their browser, re-using their password or picking simple passwords. If someone gets the password to one of your accounts, it may put your other accounts at risk.
This is where multi-factor authentication (MFA) comes into play. Multi-factor authentication requires multiple forms of verification. Most authentication factors are based on something you know (e.g. password or PIN), something you have (e.g. cellphone) and something you are (e.g. biometrics). When a login requires only two of these factors, it is referred to as two-factor authentication (2FA).
EHR companies have been advised to enforce users to use MFA. If you are not using MFA already, you should reach out to your EHR vendor to get MFA implemented. This is especially important if you are using a cloud-based EHR. The convenience of your records being accessible at any time from any location increases the risk of an incident.
If you permit remote access to your office, this is another place where you should implement MFA.
Emails are a prime target for cyberattacks. Many password authentications or password resets are accomplished through email accounts. Set up MFA to not only protect your email, but also the accounts that use the email.
When implementing MFA, you should configure a system that will alert your office whenever it detects suspicious login attempts. Examples of a suspicious login attempt can include attempted login in the middle of the night, login by a new device, multiple failed login attempts or unplanned remote network access. This will help your office quickly respond to any HIPAA incidents and take steps to prevent it from becoming a HIPAA breach.
If you are using any banking applications, you should already be familiar with MFA. It is your responsibility to protect your patient records. At minimum, take the same steps you protect your information with as the information your patients leave in your care.
For more information on maintaining HIPAA compliance you can schedule a meeting with TLD systems here or contact TLD Systems at info@tldsystems.com.
Read Comments