Contributed Commentary By Matt Deres

June 3, 2020 | Whether you are a doctor or a patient, the last thing that’s likely on anyone’s mind during a pandemic is data privacy. But just because the economy and our social lives are pretty much on hold because of COVID-19, that doesn’t mean healthcare privacy can afford to be. HIPAA is as much the law of the land as ever, and once all this passes, hospitals, insurance companies, pharmaceutical companies, and any other organization that deals with patient data will still have to prove that they took sufficient steps to protect patient data.

One of the best steps any organization can take to protect patient privacy during regular times is instituting multifactor authentication, or MFA, protocols. But it becomes absolutely essential during chaotic times, like a global pandemic. A recent study by Microsoft found that the institution of MFA alone reduced the likelihood of an account being compromised by a whopping 99.9%. That’s why with many doctors and other healthcare workers connecting to sensitive patient data remotely, this simple extra step—one which makes the possibility of data falling into the wrong hands that much more remote—should be a no-brainer.

Pick Your factor

It’s important to remember that MFA refers not to any specific means of confirmation, but rather the idea of requiring a second (or third, or more) means of proof that someone who’s attempting to access a system is who they say they are. The second factor most people are familiar with is a text or email with a one-time code that the user must provide before gaining access to their account. But that second factor could just as well be anything else that reliably affirms that the user is who they say they are.

After asserting your identity a first time, often these additional authentication factors run basically in the background, without requiring any more action on the user’s part. The MFA systems will look at other items, like the simple determination of geographic location or recurring, known, IP address, to be a preferred second factor in situations where the sensitivity of the information is lower and ease-of-use is of greater concern. Mainly because of cost and effort of implementation, biometric (face or thumbprint) identification as a second factor is generally reserved for only the most sensitive scenarios. Something like scanning a badge would fall somewhere in the middle on the axes of security and ease-of-use.

Non-repudiation

Multifactor isn’t just important from a security perspective. During this unprecedented time for healthcare workers, it’s also a huge asset from a legal perspective—specifically, with regard to the issue of non-repudiation. With so many working from home or using telemedicine, empirically knowing who is on the other side of that screen is critical to removing these risks. To see why this is an issue, observe that patient data is constantly being shared between doctors, providers, insurance companies, researchers, and other stakeholders. To ensure integrity and accountability, HIPAA requires in many cases that whoever releases the data attach their name and signature to any agreement to share patient health information (PHI). In an office setting, this is typically done through signing paper forms. But with COVID-19 keeping many providers away from the office except for essential tasks, e-signatures are becoming a lot more common.

However, healthcare providers should be aware that e-signatures—although arguably just as secure, if not more so, than paper signatures—still sit in kind of a legal gray area in most U.S. states. That’s where multifactor authentication comes in. A busy doctor or administrator might plausibly argue that they accidentally e-signed for the release of PHI, or that someone else must have signed on their behalf. But if the signer not only provider their signature, but also provided verification through MFA, that argument starts to look pretty weak. In this way, the requirement of second factor before anyone in your organization submits electronic approvals can be an important factor in proving to a court or other legal body that a provider or other holder of patient health information knowingly signed off on a release.

Managing the Transition

You might think that instituting MFA—especially right now—is a big ask for IT right now. But technologically, MFA isn’t actually that difficult to implement. With ready-made solutions already out there for most situations, implementing MFA across an organization can be completed in matter of just a few weeks. The harder part, most organizations find, is the change management component. There’s going to be people in any organization that need a little extra help setting up MFA, whether that’s due to lower technical literacy or because they’re skeptical of the utility of MFA.

That’s why to get full compliance and make the most of MFA, you’ll need buy-in from the top. As an IT leader, getting executive buy-in gives you the authority you need to mandate MFA across the organization. When cybersecurity and data privacy are C-suite priorities, IT can schedule mandatory trainings, set deadlines, and institute any other measures they need to achieve full usage. But moreover, with executives setting the example for the new standards of security at your institution, there’s little room for employees to gripe about the new changes. Because if the president of the hospital has the time to set up and make use of MFA, then certainly so does any doctor, nurse, or other employee.

Matt Deres is senior vice president and chief information officer at Rocket Software, a Boston area-based software development firm specializing in application modernization and optimization, where he oversees IT strategy for the company’s domestic and global operations. He has more 15 years of senior-level transformational IT experience, having previously served in key leadership roles ACI Worldwide, PTC and Thermo Fisher Scientific, among others. He can be reached at mderes@rocketsoftware.com.