Healthcare: HIPAA and HITECH Compliance
Duo Security is trusted by hospitals, healthcare providers, insurance companies, and those that support the healthcare industry, including health IT vendors like cloud service providers and electronic health records (EHR) systems that need to protect users with strong two-factor authentication.
Duo Security has been designed to work without cell service, which makes it the ideal choice for hospitals and clinics that often have poor or unreliable reception. Duo also easily integrates with servers, VPNs, and web applications to provide the security needed to comply with HIPAA and HITECH standards, while creating an easy user and administrative experience.
HIPAA & HITECH Compliance At a Glance
Established in 1996, the Health Insurance Portability Act (HIPAA) sets the national standards for securing electronic protected health information (ePHI) whether being collected, processed, stored or exchanged by covered entities; more specifically, the HIPAA Security Rule deals with protecting ePHI.
Covered entities include organizations such as healthcare providers, insurance companies and HMOs. Under the final omnibus rule based on changes under the HITECH (Health Information Technology for Economic and Clinical Health) Act, the scope of compliance was recently expanded to include business associates.
Business associates are those that support the healthcare industry, including contractors and subcontractors that may translate to cloud hosting/service providers, electronic health record systems (EHR) providers, and other health IT vendors that deal with the processing or storing health data.
This means if your company could potentially provide access to health data, you must also abide by the HIPAA compliance standards.
Two-Factor Authentication and HIPAA Compliance
HIPAA requires covered entities and business associates to:
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov
Within the HIPAA Security Rule, the Dept. of Health and Human Services lists one possible risk management strategy to mitigate the loss or theft of login data as two-factor authentication:
Implement two-factor authentication for granting remote access to systems that contain ePHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)… - HIPAA Security Rule Guidance for Remote Use (PDF), HHS.gov
Specific methods or technology aren’t outlined in the federal standards, but using two-factor authentication can satisfy the HIPAA Security Rule requirement to create and maintain security controls that verify user identity when users are connecting to databases with health data, either remotely or via a web application.
Two-Factor Authentication for HIPAA Vendors
As mentioned earlier, HIPAA vendors, or business associates are also required to meet HIPAA compliance in order to support the healthcare industry with the required level of operational security.
A few examples of two-factor authentication integrating with health IT vendors includes:
- Two-factor authentication can be used to securely access internal networks of all health IT companies when paired with the use of a VPN
- Cloud service providers that support the healthcare industry can use two-factor to protect sensitive server logins
- Electronic health record system (EHR) providers can use two-factor to protect web application logins
- Health IT vendors can use two-factor to protect SSH sessions for their developers
HIPAA Compliance Resources
The HIPAA Security Rule - View the HIPAA Security Rule on the HHS.gov site, including the administrative, physical and technical safeguards required to ensure the security of electronic protected health information (ePHI).
HITECH Act Enforcement - The HITECH Act established categories of HIPAA violations and defines penalty tiers for each violation type, as administered by the Dept. of Health & Human Services.
Breach Notification Rule - HHS.gov outlines the requirements behind breach notification, including the definition of a breach.
Streamlining Two-Factor Authentication for Health IT - Find out solutions to potential problems that might accompany the implementation of two-factor within a healthcare organization, and how to streamline your solution to solve usability issues, large-scale deployment problems and more.
Case Study: Royal Victorian Eye & Ear Hospital - Read a real company case study of a hospital that chose Duo’s two-factor authentication to protect their internal networks and eliminate weaknesses at remote access points.