The Health Insurance Portability and Accountability Act (HIPAA) contains a range of challenging provisions to ensure that a company is HIPAA compliant. One of the most challenging revolves around the HIPAA requirement to ensure the security of protected health information (PHI). While locking away PHI is relatively easy to do for most companies, the challenge emanates from a desire for efficiency on behalf of patients, doctors, health care facilities, and payers—all of whom collect information so that they can collaborate on the coordination and management of health care costs.
Given that PHI is both personally and legally sensitive, many health care organizations are building increased security into their authentication models. These organizations are going beyond the traditional username and password-based user authentication model and borrowing their idea from the financial services sector. This solution combines the username and password with a text message that bears an additional passcode, providing an additional level of security that theoretically keeps PHI secure even if usernames and passwords are compromised.
Unfortunately, this authentication method is not as secure as it may seem. The short message system (SMS) that drives text messaging isn’t a panacea. While it does increase security, SMS may not be enough to meet HIPAA requirements moving forward.
SMS itself isn’t a very secure protocol. Identify and information thieves easily can send spoofed SMS messages that appear legitimate. Furthermore, since millions of mobile devices get lost or stolen every year, the devices themselves are not reliable security measures.
In addition, SMS authentication does not address a core security concern, which is that end users are entering information through compromised mediums. For instance, let’s consider this scenario: a cyber criminal uses a phishing email to send a user to a fake site. The user then enters his or her username, password, and SMS code—all of which are given to the criminal. That criminal then uses the individual’s information to log in to the electronic health record and steal the patient’s information. The SMS code has proved futile in this case, as in the case where a cyber criminal uses malware to install keyloggers or Trojans on computers to intercept the information directly from the user’s keyboard and monitor.
SMS represents a step forward in security for protected health information, but it is not the ultimate solution. Other solutions such as those offered by biometric data (fingerprint scans and other unique identifiers) add an additional level of security, but they, too, are not without their drawbacks.
Looking ahead, the health care information technology industry continues searching for ways to maintain PHI security while also allowing for the appropriate level of collaboration and management among all interested parties.