Secure your small business:
Apps → Data →

HIPAA and PIPEDA are More Strict About Authentication Than You Realize

Healthcare providers and related companies in the United States and Canada are required to comply with the Health Insurance Portability and Accountability Act (HIPAA, US) or the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada).

Neither of these regulatory acts is particularly new. HIPAA dates to the year 1996 and PIPEDA to the year 2000, so both are largely devoid of contemporary security jargon or references to particular authentication practices.

Healthcare has always generated data. Today it generates an awful lot of data. © rawpixel.com / Pexels

Does this mean that healthcare providers are off the hook when it comes to two-factor authentication (2FA) or multi-factor authentication (MFA), now standard across many other industries?

Let’s take a closer look.

HIPAA: Yes, It Effectively Requires MFA

While HIPAA makes no mention of MFA as such, in e-CFR 45 § 164.308  organizations holding electronic health record (EHR) or electronic medial record (EMR) data are told that they must implement:

  • “Policies and procedures to ensure…appropriate access to electronic protected health information,” which includes the requirement to “prevent those…who do not have access under [the statute] from obtaining access to electronic protected health information” (a.1-4, emphasis added).

  • “[S]ecurity awareness and training” that comprises, in part, security reminders and updates, methods and procedures for protecting against malicious software, procedures for login attempt and login failure monitoring, and procedures for “creating, changing, and safeguarding passwords” (a.5).

These are specified as “addressable” requirements, which means that the specified outcomes must be achieved but the technical details of implementation may vary by organization or context.

Shelves full of medical files are giving way to online storage. HIPAA and PIPEDA require this data to be kept safe, by whatever means is necessary. That means MFA. © Gene Samit / Dreamstime

e-CFR 45 § 164.312  further says that caretakers of EHR or EMR data:

  • “[M]ust…implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs” that should have access under the statute (a.1, emphasis added).

What does all of this mean in plain speech? Let’s paraphrase in simpler terms. As an organization that stores healthcare data, you must:

  • Ensure that only the right users have access to EHR or EMR data, and that the wrong users do not have such access and are excluded

  • Ensure that login credentials are safeguarded and that authorized users know how to—and are able to—safeguard them

Whatever may have been true about passwords in the past, in today’s world login-password pairs:

  • Are easily and frequently stolen or captured

  • Are continuously bought, sold, and circulated on the dark web in the hundreds of millions

  • Do not, as a result, uniquely identify users or ensure that resource access is limited only to authorized users

For these reasons, reliance on passwords alone is simply no longer enough to comply with HIPAA.

Given the present security landscape and the poor level of protection that login-password pairs now provide, the use of MFA is a practical HIPAA requirement in 2019, whether or not “MFA” appears in so many words.

Hundreds of millions of compromised login-password pairs are circulating around the dark corners of the net at any given time. In practical terms, you’re simply not in compliance if you’re depending on login-password pairs for security. © Jordan Harrison / Unsplash

In today’s world, only MFA-secured logins are now plausibly able to meet the addressable requirements specified in e-CFR 45 § 164.308 paragraphs (a)1-5.

PIPEDA: Yes, It Effectively Requires MFA

Like HIPAA, PIPEDA concerns itself primarily with outcomes rather than implementation details.

In particular, the Personal Health Information Protection Act, 2004, c.3, Sched. A, s. 12  says that:

  • “A health information custodian shall take steps that are reasonable…to ensure that personal health information…is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.”

In subsequent discussion of PIPEDA and related PHIPA (Ontario), FIPPA (Manitoba), PIPA (British Columbia), and other provincial statutes, offices in the Canadian government have found that “reasonableness” standards are intended:

  • “…to be measured on an objective basis, not according to subjective preferences or opinions,” and that reasonableness is not merely “one’s personal best.” Rather, the question is whether organizations “are objectively diligent and prudent in all of the circumstances.” They note that reasonableness standards can be read to “signify a very high level of rigour.”  

Putting this information together, we can see that circumstances for compliance in Canada are essentially the same as they are for HIPAA in the US.

Are login-password pairs a way to reasonably ensure that personal health information is protected against theft, loss, or unauthorized use, disclosure, copying, or modification? Almost certainly not.

For effect, let’s repeat what we previously said about login-password pairs in 2019. They:

  • Are easily and frequently stolen or captured

  • Are continuously bought, sold, and circulated on the dark web in the hundreds of millions

  • Do not, as a result, uniquely identify users or ensure that resource access is limited only to authorized users

Under these circumstances, has a contemporary Canadian organization taken “reasonable” steps to protect healthcare data if they rely only on login-password pairs? Again, clearly not.

Happily, there are now good alternatives to managing a stack of mobile devices just to achieve MFA. © Freeprod / Dreamstime

The use of MFA is also a practical requirement for Canadian health data compliance in 2019—whether or not “MFA” actually appears in related acts.

Flexibility Does Exist

Since neither act spells out the particular technologies that are to be used in achieving protection for EHR and EMR data, there is room for organizations to find the MFA technologies that are most compatible with their organizational workflows, needs, and constraints.

There are a wide variety of MFA solutions on the market today,  including affordable solutions like Plurilock™ that require no additional hardware and impose no new workflows or delays on users.  

For these reasons, it’s safe to assume that you’re living on borrowed time if your organization cares for EHR or EMR data, yet you don’t yet have MFA in place. Don’t wait, and don’t be lulled into a false sense of security simply because HIPAA and PIPEDA don’t use the term “MFA.”

Find a solution and deploy it. Stat. ■

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.