- U.S. hospitals are increasingly supporting the health IT infrastructure for two-factor authentication to protect access to electronic protected health information (ePHI). The Office of the National Coordinator for Health IT (ONC) reports in a new data brief that as of 2014, about half of non-federal acute care hospitals support two-factor authentication, up 53 percent since 2010.
The technology requires users to provide at least one additional form of identification beyond user name and password to gain access to ePHI. “The use of two-factor authentication to prove one’s identity is based on the premise that an unauthorized actor is unlikely to be able to supply both factors required for access,” the report states.
Examples include requiring users to answer security questions or enter a randomly generated number sent to their mobile device, the report explains. Other authentication factors may include a token or key in the possession of the user or a biometric marker such as a fingerprint or voice recognition. The extra layer of protection satisfies a HIPAA requirement for covered entities to verify authorization for a person seeking access to ePHI.
Since 2010, non-federal acute care hospitals have increased their capability for two-factor authentication by an average of 11 percent each year, according to data drawn from ONC/American Hospital Association (AHA) IT surveys spanning the 2010-2014 range.
However, the data brief points out that two-factor authentication varies significantly by hospital type, with medium and large hospitals reporting significantly higher rates of use than other hospital types. The 2014 numbers break down as follows:
Large hospitals – 63 percent
Medium hospitals – 59 percent
Small urban hospitals – 51 percent
Small rural hospitals – 40 percent
Critical access hospitals – 35 percent
The report also reveals variation by state in hospitals’ capability for two-factor authentication. Ohio (93 percent), Vermont (83 percent), Connecticut (81 percent), Virginia (72 percent), District of Columbia (69 percent), California (68 percent), Arkansas (55 percent) and Michigan (55 percent) all reported rates of use significantly higher than the national average. In contrast, 13 states headed by Montana (19 percent), North Dakota (23 percent), Iowa (26 percent) and Louisiana (26 percent) reported significantly lower rates of use than the national average.
The data brief also notes that two-factor authentication is also an essential capability for providers who e-prescribe controlled substances.
“In 2010, the Drug Enforcement Administration added the requirement of two-factor authentication for electronic prescribing to the interim final rule, Electronic Prescription for Controlled Substances. This rule gives practitioners the option to electronically prescribe with several options for obtaining authentication credentials,” the report states. “Additionally, the increased use of two-factor authentication by practitioners may help support the [HHS] Secretary’s initiative to decrease opioid-related deaths and morbidity.”
For the underlying survey data, ONC/AHA requested the person most knowledgeable about the hospital’s IT (typically the chief information officer) to provide responses via mail survey or secure online site.
Meghan Gabriel, PhD; Dustin Charles, MPH; JaWanna Henry, MPH; and Tricia Lee Wilkins, PharmD, PhD, from ONC’s Office of Planning, Evaluation and Analysis and Office of Clinical Quality and Safety, co-authored the report.