Better identity and access management (IAM) is no longer a luxury but a necessity to avoid costly fines for HIPAA violations. New IAM methodology can benefit the entire healthcare system, from hospitals and physicians’ offices to patients to contractors and medical suppliers, in terms of security, compliance, efficiency, and convenience.
The HIPAA Security Rule is primarily focused on restricting access to electronic patient health information. Anyone who stores patient records, whether they are a care provider or not, must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” It cannot be emphasized enough that username/password combinations are simply not secure enough to withstand attacks from today’s cyber criminals. Through phishing, brute force, or simply taking advantage of written down or unencrypted lists of passwords, criminals can easily overcome this single barrier to access an account. To help achieve HIPAA compliance and prevent a data breach, two-factor authentication is a must-have. By adding a one-time passcode sent to the user via text message, email, or mobile app, an additional layer of security is incorporated with the login process. A hacker must be able to access an entirely different account or device in order to intercept the 2-factor passcode, and they must do it within a tight timeframe before the passcode becomes useless. The chances of a successful cyber-attack are dramatically reduced, ensuring patient privacy and protecting your organization from potential liability or HIPAA fines.
Another IAM technology that both enhances security and increases efficiency is single sign-on (SSO). With SSO, a user enters a username and password (and uses a one-time passcode, if two-factor authentication is enabled!) to access a portal, where they can then open any application their organization has authorized them to use. No more passwords need to be entered; the user is seamlessly redirected to the application. This improves security by decreasing reliance on the user choosing and remembering a strong and unique password for every single account they use.
Additionally, the credentials that a user would have entered to access an application are saved within the organization’s network without the need for a new user to even know them. These credentials are used to form a certificate that is compared with a matching certificate from an application the user selects. The certificate match is all that is required for a successful login; passwords never leave the organization’s network, so hacks stemming from exposed or intercepted credentials will be a thing of the past.