The History of Two Factor Authentication in the HIPAA Security Rule


Although the Health Insurance Portability and Accountability Act was created in 1996 it was not always meant to secure the privacy of electronic health records. Originally HIPAA was created for paper health record privacy, before HIPAA there was no security standard implemented to protect patient privacy. As time moves forward so does technology and in the past decade recent advances in healthcare industry technology created a need for a more secure way of handling medical records.

With electronic health records becoming more readily available at cost efficient rates healthcare facilities made the move to these types of documents. Also with government regulation mandating electronic health records the Security Standards for the Protection of Electronic Protected Health Information also known as “the Security Rule” was created and enforced. This new set of regulations was created to ensure privacy of patient medical information while being stored or transmitted in their electronic form.

Two factor authentication, a process in which two separate factors of authenticating are used to identify a user, was not originally a necessary part of the security process stated in the HIPAA Security Rule. Throughout the years this form of authentication has grown to be a required piece of compliance for HIPAA.

Mentioned back in October 2003 in a PDF released by the National Institute of Standards and Technology where multi factor authentication was mentioned. The document titled “Guide to Selecting Information Technology Security Products” stated what authentication was but did not necessarily require the implementation of this type of security. Obviously with electronic medical records being so new and not used across all facilities the need for specific authentication was not created or enforced.

Then in April 2006 a new document was released by the NIST called “Electronic Authentication Guideline” which stated 4 levels of security in which some required a strong authentication process. The use of two factor authentication was mentioned in the 3rd level which states the need for a token to be required. This token can either be a soft/hard token or a one-time password. With more hospitals accepting EHRs the need for stronger security guidelines arose.

Although there were now regulations in place that stated the requirement for two factor authentication they were unclear and did not state the need for specific IT security controls. After an audit by the Office of Inspector General found the need for these IT security controls the old NIST document was revised. The “Electronic Authentication Guideline” drafted in June 2011 is a revision of the publication which states more clearly the need for specific two factor authentication including acceptable token types.

We can see the increasing need for security in the healthcare industry although the need for regulating compliance was not always necessary, however with everything changing and government mandates put in place compliance guidelines have been improving. It does not seem to be over either, in a recent draft by the NIST created May 2011 titled “Cloud Computing Recommendations” which talks loosely about multi factor authentication to access the cloud. This goes to show as technology moves forward and more ways of storing/accessing data are created the need for regulation arises. This is especially true when healthcare facilities are accepting and utilizing this new technology more and more.

Leave a Reply