Two-Factor Authentication Far from Ubiquitous at HospitalsFederal Report Finds There's Still a Long Way to Go
Despite the frequency of data breaches in the healthcare sector, only half of U.S. hospitals have the infrastructure to support two-factor authentication, according to a new report from the Office of the National Coordinator for Health IT. Plus, some healthcare information security leaders say implementation of the technology at many of those facilities is likely relatively narrow.
The ONC report about two-factor authentication is based on the findings of an American Hospital Association 2014 survey of almost 2,700 hospitals of various sizes and types across all 50 states. Among the key findings:
- Some 49 percent of hospitals reported their IT department supports an infrastructure for two-factor authentication, representing a 53 percent increase since 2010;
- Since 2010, non-federal acute care hospitals increased their capability for two-factor authentication by an average rate of 11 percent every year;
- Fifty-nine percent of medium-sized and 63 percent of large hospitals have the capability for two-factor authentication;
- Fifty-one percent of small urban hospitals have the capability for two-factor authentication;
- Only 35 percent of critical access and 40 percent of small rural hospitals report having the two-factor authentication capability.
The report notes that HIPAA offers two-factor authentication as a possible method to provide security to ePHI. In addition, two-factor authentication is an essential capability for providers who e-prescribe controlled substances. In 2010, the Drug Enforcement Administration added the requirement of two-factor authentication for electronic prescribing to the interim final rule for Electronic Prescription for Controlled Substances.
The DEA rule gives practitioners the option to electronically prescribe prescriptions with several options for obtaining authentication credentials, the ONC report notes.
Far fewer than half of U.S. hospitals likely have widely implemented two-factor authentication as part of their informations security efforts, two hospital security leaders say.
"Two-factor authentication is increasingly important for e-prescribing of controlled substances and for risk mitigation of stolen credentials," says John Halamka, CIO of the Beth Israel Deaconess HealthCare system in Boston. "My experience in the industry is that this is still a work in process and most hospitals do not yet have the technology in place."
Halamka notes that the ONC report summarizes the AHA survey that asks the organizations: "Does your IT department currently support an infrastructure for two-factor authentication - such as tokens or biometrics?" But the study doesn't necessary shed light on the use of the technology at those institutions that have an infrastructure capable of supporting two-factor.
"It isn't surprising to see a large number of facilities that can support it. What it doesn't show is the percent of total users with access to PHI and PII within each organization that use two-factor authentication. That is the key question."
John Houston, vice president of privacy and information security and associate counsel at the University of Pittsburgh Medical Center, raises similar concerns.
"While I suspect that the [report's] statistics are accurate, the adoption of multifactor is not an all-or-nothing proposition," he says. "My experience shows that historically, depending on how an organization uses multifactor, the implementation can be significant effort and costly. This alone makes it difficult for many hospitals to adopt. So, many hospitals may choose to implement multifactor for one or two use cases [such as for] e-prescribing, remote email access, etc."
The Pittsburgh-based healthcare system uses multifactor authentication in numerous different environments, Houston notes. "However, our needs continue to change. This is not only due to things like e-prescribing, but due to more general concerns regarding security - especially in the context of remote access. As more services move to the cloud, and we become more connected via mobile technologies, our use of multifactor will need to mature," he says.
The industry is making multifactor authentication simpler and cheaper to adopt, Houston says. "However, it remains to be seen how the move to the cloud will affect multifactor adoption."