Why companies in Health sector should take their User Authentication seriously?
Trillbit Inc
Authentication as a Service. We provide different authentication suites such as Passkeys, MFA etc.
According to Identity Theft Resource Center (ITRC) numbers for 2016, more than 80 percent of reported breaches were caused by password issues. Of those breaches, 36 percent occurred in healthcare, with 44 percent of those involving health records.
The sensitive thing about healthcare data is … you can’t take it back once it has been hacked. You can’t re-issue it. Once that healthcare data is compromised, you can’t take it back.
That’s the reason regulations and guidelines emphasise healthTech companies taking user authentication and account security very seriously and implement safeguarded measures.
HIPAA (Health Insurance Portability and Accountability Act) is a US law that regulates the privacy and security of certain health information. When it comes to user authentication, HIPAA requires covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Here are some important HIPAA provisions related to user authentication and account security:
2. Audit controls (45 CFR § 164.312): Covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. This includes tracking user login attempts, changes to user accounts, and failed login attempts.
3. Person or entity authentication (45 CFR § 164.312): Covered entities must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. This includes using passwords, PINs, smart cards, biometric identification, or other forms of authentication.
4. Unique user identification (45 CFR § 164.312): Covered entities must assign a unique name and/or number for identifying and tracking user identity. This includes creating a process for verifying the identity of new users, and disabling old or unused user accounts.
In summary, HIPAA requires healthTech companies to ensure a strong identity proofing and identity binding. Identity binding is the process of linking a specific user's identity or credentials to a particular resource or action. Identity proofing is the process of verifying a person's identity before granting them access to a particular service, system or facility.
Generally to comply with HIPAA regulations, Healthcare companies implement a second-factor authentication along with userId-Password. However, that increases complexity, makes adoption lower and login difficult mainly for elderly people.
领英推荐
There is one good example, healthTech companies can look at. National Health Services (NHS) UK, wanted to implement a robust and simple login method for their NHS app. They evaluated all user authentication methods based on six criteria and these criteria can also become benchmarks for other healthTech companies. These criteria are:
1. Open, scalable standards
2. Public key cryptography
3. Biometric information stored on the user’s device, not the NHS or medical provider’s servers
4. Support for Android and iOS mobile platforms and other OS
5. Market/sector agnostic
6. Used by well-established applications and organisations
They evaluated multiple platforms on these criteria and finally decided to go ahead with the FIDO protocol because they perfectly fit into their criteria.
Passkeys, based on the FIDO standard, can be a panacea for healthTech companies because it is an easier and stronger authentication module that simply makes them compliant with regulations like HIPAA.
Visit www.soundauth.com