.st0{fill:#FFFFFF;}

Podcast

Does HIPAA require MFA? – Ep 418 

 August 4, 2023

By  Donna Grindle

Share0
Tweet0
Share0

MFAWe all know how important it is to keep our personal information and important data secure. MFA can add an extra layer of protection to our digital lives. But does HIPAA require MFA? The short answer: no, but yes. Listen in to hear how best to lock your cyber door against cyber attacks.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Does HIPAA require MFA? – Ep 418

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

[02:54] Does HIPAA require MFA? Specifically. No. But….

As the June OCR newsletter makes clear, it isn’t just about whether or not it specifically states anything about MFA. It is about assessing your risk just like anything else with HIPAA.

HIPAA regulated entities are required to implement authentication solutions of sufficient strength to ensure the confidentiality, integrity, and availability of their ePHI. A regulated entity’s risk analysis should guide its implementation of authentication solutions to ensure that ePHI is appropriately protected. As a best practice, regulated entities should consider implementing multi-factor authentication solutions, including phishing-resistant multi-factor authentication, where appropriate to improve the security of ePHI and to best protect their information systems from cyber-attacks.June 2023 OCR Cybersecurity Newsletter HIPAA and Cybersecurity Authentication

HIPAA Say What!?!

[09:29] The old tricks are making a comeback. We are starting to see the old Microsoft tech support scam and the FBI scam from years ago making a successful comeback in the wild. If you have a security incident in your organization, you need to do a HIPAA Breach Assessment to determine the probability of compromise (of PHI).

This is commonly called the 4-factor breach assessment, and they are:

  1. The nature and extent of the PHI involved, including types of identifiers, and the likelihood of re-identification
  2. The unauthorized party who used the PHI or to whom the disclosure was made
  3. Whether PHI was actually acquired or viewed
  4. The extent to which the risk to the PHI has been mitigated

Each factor is rated as high, medium, or low risk, and then used to establish the overall risk of a HIPAA breach. If the risk assessment finds a low probability of compromise of PHI, the organization is not required to notify affected individuals. Notification is mandatory, however, when the factors lead to the conclusion that there is a medium or high risk of a breach.

Knowing how to identify PHI, where it is located, and how it flows through your organization will be vital in this assessment.

Does HIPAA require MFA?

[17:40] HIPAA says nothing, specifically, about MFA. But, it does require HIPAA regulated entities to implement authentication solutions that can sufficiently reduce the risks to the confidentiality, integrity, and availability of ePHI. HHS’ June 2023 newsletter discusses this very topic.

June 2023 OCR Cybersecurity Newsletter | HHS.gov

What is MFA?

At least two of the following:

  1. Something you know (e.g., password, personal identification number (PIN))
  2. Something you have (e.g., smart ID card, security token)
  3. Something you are (e.g., fingerprint, facial recognition, other biometric data)
Authentication that requires a user to present multiple instances of the same factor is not multi-factor authentication.June 2023 OCR Cybersecurity Newsletter HIPAA and Cybersecurity Authentication

That means you are not doing MFA simply by using a password AND a pin code. That solution is just using two of the same from the list above – something you know.

Everyone needs to implement MFA

[23:44] Size doesn’t matter when it comes to cybersecurity. Everyone is a target and everyone should do the basics which now include MFA authentication at any point it can be used.

The National Institute of Standards and Technology (NIST) advocates for increased use of multi-factor authentication by small businesses stating that “it is necessary to add more layers of authentication beyond a password to ensure that accounts remain secured.” CISA recommends that all organizations “[v]alidate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication” as part of its “Shields Up” guidance. The U.S. Department of Health & Human Services (HHS) 405(d) Task Group recognized the importance of multi-factor authentication by encouraging its use for remote access to systems and to email as best practices in its suite of publications in April 2023, Health Industry Cybersecurity Practices.June 2023 OCR Cybersecurity Newsletter HIPAA and Cybersecurity Authentication

You should understand what you’re implementing when you implement MFA. Often, you have a choice – email, SMS (text message) or authentication app. We do not recommend doing MFA via text message or even email really. It’s better than nothing, but it’s very easy to spoof those methods. Using an authenticator app is preferable. You should have MFA on your email, financial sites, VPN connections (or any other remote access application) and on anything that contains valuable or sensitive data.

Go to top

HIPAA doesn’t specifically require MFA, but it does. Every industry guidance and best practices recommends some sort of MFA. It is well documented. So, if you aren’t doing it and an incident occurs, it’ll be much harder to defend you if you aren’t implementing MFA or some kind of compensating control.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: