HIPAA and Healthcare Applications, Part 1 of 3: What You Need to Know About User Authentication
Of the three main sections of HIPAA — the Privacy Rule, the Security Rule, and the Breach Notification Rule — the Security Rule is one that is particularly relevant to application development in the healthcare sphere. The majority of these applications, from patient portals to mhealth apps, store or transmit electronic protected health information (ePHI). It’s essential to keep this information safe, and the Security Rule has in-depth guidance on the extent to which this needs to be accomplished, but with a fair amount of flexibility as to the strategies for implementation.
Here, we decode the Security Rule as it applies to patient portal and mHealth app development, specifically in regard to user authentication. In Part 2 of this series, we’ll cover auditing, and in Part 3 we’ll discuss issues related to data transfer, such as encryption and notifications.
What is an Appropriate Level of Authentication for Online Patient Access to Health Information?
When a patient first gets set up with a login for a healthcare application, like a patient portal or healthcare mobile app, there is a belief among some that this initial access setup needs to happen in person. While this is an option, it’s not a requirement. A simpler, alternative option is that a patient can provide an email address either in person or by phone where the login invitation will be send. This is a step up from most setup authentications on the web, where the email address is entered into a registration form.
While less secure than in-person authentication, this option may be preferred because of its convenience. By simplifying the process for gaining access to the patient portal, a provider can boost portal use to gain benefits such as improved patient engagement, more efficient appointment scheduling and cancellations, and enhanced treatment plan adherence. The main takeaway is to set up procedures that verify that the person requesting access to ePHI is who he or she claims to be.
Is Multifactor Authentication Necessary?
Multifactor authentication is requiring several different kinds of credentials to log in to an application. The majority of logins only require a user to enter information that he or she knows. In multifactor authentication, this can be supplemented by requirements to enter a code from an object like a card, security token, or VPN soft token, and/or by direct verification of identity, like a fingerprint. While the HIPAA Security Rule does not require multifactor authentication, it is important to thoroughly consider its provisions on information access management and access control to determine how to best account for them in your healthcare application.
How Strong Do Passwords Need to Be?
Password strength is an area that is gaining increasing attention across industries. While HIPAA does of course require passwords, there is no legal specification on password strength. Therefore, each healthcare organization can decide on requirements during the application development phase. However, given the negative impact on your organization if a data breach does occur, it is in your best interest to be strict about password requirements. The cross-industry best practice for passwords is that they: (1) are over 8 characters long, (2) include a combination of upper and lower case letters, and (3) include at least one numeric and/or special character.
How Should Passwords Be Managed and Monitored?
HIPAA does include addressable implementation specifications on password management and login monitoring. Addressable means that an organization can make the decision to implement the specification as is, choose to put an alternate security measure or measures in place, or even — if the specification is not reasonable or appropriate to the particular entity — implement nothing. The key is that the decision and reasoning behind it must be documented in written form, with in depth consideration and appropriate justification demonstrated.
In this case, HIPAA stipulates that Covered Entities and Business Associates include several important points in their security awareness programs. One is to train staff on procedures for creating, changing, and safeguarding passwords. The other is that staff also learn how to monitor login attempts by external users and to report any potentially problematic login activity, such as failed login attempts. Each organization needs to consider these addressable matters in depth to plan, document, and implement its strategy.
What Are the Login Timeout Requirements, and How Does This Apply to a Personal Mobile Device?
HIPAA includes automatic logoff — when the application ends a user’s session after a specific time period of inactivity — as another addressable implementation specification. However, the time to logoff is not stated. In choosing the number of minutes of allowed inactivity before a session is terminated, it’s important to consider on what device and in what environment the application will be used. If you’re working with an mhealth app that will be used by patients on their phones anywhere they go, including crowded areas, a very quick time to logout of 2 to 3 minutes is advisable. However, if you’re working with the physician side of a patient portal that will be used in a private doctor’s office, a longer time to logout, like 10 to 15 minutes, is acceptable.
We’ve only scratched the surface of the Security Rule. Check back in February for Part 2 (HIPAA auditing) and Part 3 (encryption, servers, and notifications to patients).