Office for Civil Rights Comments on Strong Authentication for HIPAA


Thought Leadership

Office for Civil Rights Comments on Strong Authentication for HIPAA

Zix Staff

On November 7, 2016, the Office for Civil Rights (OCR), the Health and Human Services (HHS) office responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), issued its latest newsletter titled “What Type of Authentication is Right for You?” In the newsletter, the OCR focuses on the risk of weak authentication as a cause of recent healthcare-related cybercrimes. The OCR suggests that covered entities and business associates conduct an enterprise-wide risk assessment and consider implementing stronger authentication to protect electronic personal health information (ePHI) and comply with HIPAA.

The most common form of authentication is a user ID and password. The OCR refers to this as single-factor authentication, because it only requires something you know; a password. To implement stronger authentication requires the use of at least two of the three methods of authentication described below:

  1. Something you know (i.e. a password)

  2. Something you have (i.e. a token, one-time pin or smart card)

  3. Something you are (i.e. biometrics, such as a fingerprint or retina scan)

Strong authentication is also often referred to as two-factor or multi-factor authentication. Implementing a second method of authentication provides an added layer of protection by making it harder for hackers to compromise an account. Often organizations will avoid putting two-factor authentication in place because of the implementation costs and impact on users, potentially increasing risk and vulnerabilities to their ePHI.

With 1 in 5 U.S. hospitals and more than half of the Blue Cross Blue Shield organizations using Zix Email Encryption, we understand the importance of protecting ePHI. Our secure messaging portal, ZixPort, allows emails containing ePHI to be delivered securely to anyone, anywhere and on any device. In addition, ZixPort supports multiple forms of authentication, giving healthcare organizations and business associates the control to choose the level of authentication required to meet their needs. The authentication methods available with ZixPort can be classified into three categories: single-factor, two-factor and custom.

Single-Factor Authentication

For customers that want to use single-factor authentication, ZixPort provides basic user id and password authentication that can be configured to meet their security requirements. For single-factor authentication via user ID and password, ZixPort allows the customer to define the minimum and maximum length of the password, require mix-case or alphanumeric characters, restrict the reuse of previous passwords and force password expirations. Customers can also enforce the use of challenge questions during a password reset to provide added security to the traditional single-factor authentication method.

Two-Factor Authentication

For customers that have determined encrypted emails containing sensitive information need stronger authentication, ZixPort provides complimentary two-factor authentication that is both easy to implement and easy to use. ZixPort two-factor authentication uses something you know (your password) and something you have (a link or pin). For example, when an encrypted email is delivered using ZixPort, the email recipient receives a new message notification that contains a unique link (something they have). When the recipient clicks on the link to access the encrypted email, they will be prompted to enter their unique password (something they know). When a ZixPort user logs in without a notification link, an email is sent to their registered email address containing a pin (something they have) to complete the login process.

Custom Authentication

In addition to single-factor and two-factor authentication, ZixPort supports SAML 2.0, which can be used to implement any form of required authentication. By leveraging the standard ZixPort SAML 2.0, customers can leverage their own authentication system to provide users access to the ZixPort secure messaging portal. Customers can then implement two-factor authentication using tokens, smart cards or biometrics. Customers can also use this to integrate the secure messaging portal into their web site, where users can login once to access both information through the web site and encrypted emails.

As healthcare organizations and business associates assess the risk of ePHI data in emails, they can rest assure that Zix solutions can provide the security they need, with the level of authentication required to minimize risks and vulnerabilities to their businesses. To learn more about Zix Email Encryption and ZixPort, contact Zix Sales