(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Tell Me More:
The objective of the Person or Entity Authentication standard / implementation specification is to implement procedures to verify that a person or entity seeking access to electronic protected health information (EPHI) is the one claimed. This standard is the implementation specification.
Authentication is typically the first step in gaining access to the system. Authentication is the process of “proving” your identity. A system needs to authenticate users to a degree appropriate for the level of risk/threat that an authenticated user represents. For example, typing a username and a password is an example of authenticating yourself as a user on the system.
Covered entities must have in place appropriate technical processes to authenticate the identity of each person or entity (usually another computer or process) accessing or attempting to access PHI. This access can be at the workstation or program level, depending on the requirements of the organization. These technical processes usually require persons and entities to provide a password, a physical identification (e.g., a token) or biometric identification. Access of individuals is implemented through the administrative policies and procedures related to the use of passwords and individual access to ePHI. Similar policies and procedures must be in place to authenticate entities to ensure that ePHI is only shared with appropriate, authorized entities.
Many different mechanisms may be used to authenticate persons or entities, and the final rule reflects this fact by not incorporating a list of implementation specifications, in order to allow covered entities to use whatever is reasonable and appropriate. “Digital signatures” and “soft tokens” may be used, as well as many other mechanisms, to implement this standard.
When considering authentication solutions, it is important to consider the criticality and sensitivity of information. Using a simultaneous combination of authentication mechanisms, called multifactor authentication, can help to mitigate against risks to circumventing authentication controls. An example of this approach is to require a fingerprint scan (biometric) followed by the entering of a password rather than just one or the other. In this case, a compromised password would be rendered useless since a matching fingerprint is required, and a forged fingerprint alone would not achieve an attacker’s goals if the password was not also known. While this approach provides solid authentication, care should be taken to balance the level of assurance needed with associated financial and performance costs.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Has the organization implemented policies and procedures instructing workforce members to not allow other persons or entities to use their unique authentication information to access systems or applications containing ePHI?
- Has the organization implemented policies and procedures to instruct workforce members to ensure they verify the identity of the receiving person or entity prior to transmitting ePHI?
- Are appropriate measures in place to authenticate the identity of each person accessing or attempting to access PHI?
- Are appropriate measures in place to authenticate the identity of each entity accessing or attempting to access PHI?
- Has the organization implemented procedures to verify that a person or entity seeking electronic access to ePHI is the one claimed? (e.g., biometrics, password, PINs, telephone callbacks or tokens)?
- NIST SP 800-12 chapter 16 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-63 Recommendation for Electronic Authentication