This document discusses healthcare organizations' requirements to comply with HIPAA and HITECH regulations regarding access to electronic protected health information (EPHI). It notes that regulations are progressing towards requiring multi-factor authentication for EPHI access. Violations of HIPAA and HITECH can result in penalties up to $1.5 million per category. Over 95% of data breaches are due to exploitation of weak or stolen credentials. The document recommends organizations implement an active multi-factor authentication strategy to prepare for future requirements and reduce data breach risks. It introduces aPersona's Adaptive Security Manager as a solution designed to provide scalable and customizable multi-factor authentication aligned with transaction risk levels.

1. Healthcare:
HIPAA
&
HITECH
Compliance
Copyright
©2015
aPersona,
Inc.
sales@apersona.com
-­‐
www.apersona.com
-­‐
866-­‐229-­‐0177
v2.0
Healthcare
IT
organizations
and
Healthcare
Services
companies
are
required
to
comply
and
adhere
to
Health
Insurance
Portability
&
Accountability
Act
(HIPAA)
and
Health
Information
Technology
for
Economic
Health
(HITECH)
rules
and
regulations.
HIPAA/HITECH Multi-­‐Factor & 2-­‐Factor Recommendations
Historically,
HIPAA
and
HITECH
standards
for
authentication
have
recommended
multi-­‐factor
and
two-­‐factor
authentication
(M2FA)
for
access
to
Electronic
Protected
Health
Information
(EPHI)
and
are
steadily
progressing
toward
requiring
M2FA.
• December
2006:
HIPAA
Security
Guidance
Highlights
2-­‐Factor
Authentication
for
EPHI
Access
• September
2012:
DHHS
ONC
recommends
NIST
LOA3
Multi-­‐Factor
Assurance
• February
2014:
DHHS
Proposed
Rules
Seeking
Inclusion
of
2-­‐Factor
for
2017
Edition
Rulemaking
• October
2015:
Final
Meaningful
Use
Stage
3
Requirements
and
Timeline
Announced
with
strong
indications
that
multi-­‐
factor
authentication
will
be
a
part
of
future
requirements.
HITECH Violations and Penalties
At
the
same
time,
Violations
&
Respective
Penalty
Amounts
have
been
amended
and
updated
to
include
4
Violation
categories
each
of
which
carry
a
maximum
penalty
of
$1.5M.
HITECH
Act
Enforcement
Interim
Final
Rule
CATEGORIES
OF
VIOLATIONS
AND
RESPECTIVE
PENALTY
AMOUNTS
AVAILABLE
Violation
Category
–
Section
1176(a)(1)
Each
Violation
All
such
violations
of
an
identical
provision
in
a
calendar
year.
(A) Did
Not
Know……………………………….
$100-­‐$50,000
$1,500,000
(B) Reasonable
Cause………………………..
$1,000-­‐$50,000
$1,500,000
(C)(i)
Willful
Neglect-­‐Corrected………………..
$10,000-­‐$50,000
$1,500,000
(C)(ii)
Willful
Neglect-­‐Not
Corrected…………
$50,000
$1,500,000
Over 95% of Data Breaches Result from Exploitation of Weak or Stolen Credentials
At
the
intersection
of
the
current
regulatory
guidance
path
for
advanced
multi-­‐factor
&
2-­‐Factor
authentication,
and
the
current
penalties
associated
with
EPHI
violations
lies
the
fact
that
over
95%
of
data
breaches
result
from
the
exploitation
of
weak
or
stolen
credentials
(Verizon
2014
Data
Breach
Report).
What Should You Do? How Can You Prepare?
Given
the
projected
HIPAA
&
HITECH
authentication
requirements,
current
escalating
penalties
and
data
breach
risks
associated
with
accessing
Electronic
Protected
Health
Information,
it
is
abundantly
clear
that
your
organization
should
have
an
active
and
progressing
multi-­‐factor/2-­‐factor
authentication
strategy
in
place.
If
you
have
spent
much
time
on
this
topic
and
reviewed
M2FA
products
and
solutions
you
have
likely
discovered
a
number
of
road
blocks.
• Expensive
per/user
licensing
fees
are
simply
out
of
line
with
the
reality
of
today’s
user
populations.
• Lack
of
intelligence
and
adaptability
forces
users
to
jump
through
additional
login
steps
every
time
they
login,
obliterating
the
user
access
experience.
• Physical
Token
requirements
are
expensive
to
deploy
and
manage
–
especially
with
large
user
groups.
• Lack
of
integration
capability
prevents
the
use
of
M2FA
post
login
where
potentially
higher
risk
transactions
may
require
additional
layers
of
security.
•
The
ability
to
align
transaction
risk
with
the
appropriate
additional
layers
of
authentication
factors
and
the
capability
to
monitor
and
evaluate
risk
analytics
are
simply
missing.
aPersona – Adaptive Security Manager™ for HIPAA & HITECH Compliance
aPersona’s
Adaptive
Security
Manager™
(ASM™)
was
developed
to
address
all
the
shortcomings
found
in
the
Multi-­‐Factor/2-­‐Factor
marketplace.
aPersona’s
adaptive
multi-­‐factor
solution,
ASM™,
is
designed
to
scale
and
provide
a
customized
set
of
additional
factors
that
can
be
dialed-­‐in
and
tuned
to
reach
any
required
level
of
risk
and
compliance
level.
These
additional
factors
include
public
and
private
IP
addresses,
IP
geographical
location,
cookies,
hundreds
of
user
device
attributes,
application
specific
factor
verifications,
user
specific
factor
verification
overrides,
application
specific
factor
time-­‐outs,
device
category
factor
time-­‐outs,
Man-­‐in-­‐the-­‐Middle
detection
&
real-­‐time
risk
scoring.
aPersona
has
multiple
modes
including
adaptive
learning,
monitoring
risk
without
challenging
users,
active
adaptive
mode
and
full
challenge
mode.
You
can
deploy
it
everywhere,
monitor
everything,
challenge
where
needed
and
modify
risk
settings
over
time
to
match
your
data
risk
requirements,
reduce
your
data
breach
exposures,
and
easily
adapt
to
changing
regulations
over
time
all
at
a
price
point
that
fits
reality!