HIPAA and Healthcare Applications, Part 1 of 3: What You Need to Know About User Authentication
Of the three main components of HIPAA — the Privacy Rule, the Security Rule, and the Breach Notification Rule — the Security Rule is one that is particularly relevant to health application development in the healthcare sphere. The majority of these applications, from patient portals to mhealth apps, store or transmit electronic Protected Health Information (ePHI). It’s essential to keep this information safe, and the Security Rule has in-depth guidance on the extent to which this needs to be accomplished, but with a fair amount of flexibility as to the strategies for implementation.
Here, we decode the Security Rule as it applies to patient portal and mHealth app development, specifically in regards to user authentication. In Part 2 of this series, we cover auditing, and in Part 3 we discuss issues related to data transfer, such as encryption and notifications.
What is an Appropriate Level of Authentication for Online Patient Access to Health Information?
When a patient first gets set up with a login for a healthcare application, like a patient portal or healthcare mobile app, there is a belief among some that this initial access setup needs to happen in person. While this is an option, it’s not a requirement. A simpler, alternative option is for a patient to provide an email address either in person or by phone for where the registration invitation will be sent. This is a step up from most setup authentications on the web, where the email address is entered into a registration form. Patients could also register autonomously, also referred to as self-registration, by asking the patient challenge questions produced by a 3rd party such as IDology.
While these two options are less secure than in-person authentication, these options may be preferred for convenience purposes. By simplifying the process for gaining access to the patient portal, a provider can boost portal use to gain benefits such as improved patient engagement, more efficient appointment scheduling and cancellations, and enhanced treatment plan adherence. The main takeaway is to set up procedures that verify that the person requesting access to ePHI is who he or she claims to be.
At Bridge Patient Portal, one of the most common complaints made by healthcare organizations using other patient portals, typically bundled with their EHR vendor, is the cumbersome process patients must go through to register.
Is Multifactor Authentication Necessary?
Multifactor authentication is defined as requiring a patient to produce more than one type of credential to log in to an application. The majority of logins only require a user to enter information that he or she knows. In multifactor authentication, this can be supplemented by requirements to enter a code from an object like a card, security token, or cell phone via SMS message, and/or by direct verification of identity, like a fingerprint or challenge questions. As passwords and access to email accounts can easily be compromised, multifactor authentication is growing in popularity for portal user authentication and portal user registration. While the HIPAA Security Rule does not require multifactor authentication, it is important to thoroughly consider its provisions on information access management and access control to determine how to best account for them in your healthcare application.
How Strong Do Passwords Need to Be?
Password strength is an area that is gaining increasing attention across industries. While HIPAA does of course require passwords, there is no specific legal specification on password strength. Therefore, each healthcare organization can decide on requirements during the application development phase. However, there are numerous documents discussing best practice, and ONC certified patient portals do require a specific password strength.. The cross-industry best practice for passwords is that they: (1) are over 8 characters long, (2) include a combination of upper and lower case letters, and (3) include at least one numeric and/or special character.
How Should Passwords Be Managed and Monitored?
HIPAA does include addressable implementation specifications on password management and login monitoring. Addressable means that an organization can make the decision to implement the specification as is, choose to put an alternate security measure or measures in place, or even — if the specification is not reasonable or appropriate to the particular entity — implement nothing. The key is that the decision and reasoning behind it must be documented in written form, with in depth consideration and appropriate justification demonstrated.
In this case, HIPAA stipulates that Covered Entities and Business Associates include several important points in their security awareness programs. One is to train staff on procedures for creating, changing, and safeguarding passwords. The other is that staff also learn how to monitor login attempts by external users and to report any potentially problematic login activity, such as failed login attempts. Each organization needs to consider these addressable matters in depth to plan, document, and implement its strategy.
What Are the Login Timeout Requirements, and How Does This Apply to a Personal Mobile Device?
HIPAA includes automatic logoff — when the application ends a user’s session after a specific time period of inactivity — as another addressable implementation specification. However, the time to logoff is not stated. In choosing the number of minutes of allowed inactivity before a session is terminated, it’s important to consider on what device and in what environment the application will be used. If you’re working with an mhealth app that will be used by patients on their phones anywhere they go, including crowded areas, a very quick time to logout of 2 to 3 minutes is advisable. However, if you’re working with the physician side of a patient portal that will be used in a private doctor’s office, a longer time to logout, like 10 to 15 minutes, is acceptable.