Protected Health Information (PHI) is hacked, stolen or misused with regularity and more than need be.  Sometimes you can’t help HIPAA breaches, but often times there are measures you can and should take to protect and secure PHI data.

All health care agencies must abide by the HIPPA and HITECH laws, but it is within their rights to determine which security policies to implement.  Your agency is at high risk of breach if:

• You conduct offsite activities using public internet access
• Your clinicians use personal computers for catching up on patient charts during off hours
• Portable devices are frequently carried off site, increasing the risk of theft
• A lot of PHI is in paper format and goes off site

If your data is encrypted you would probably not be found at fault according to HIPAA rules, but fault or no, the PHI was already compromised.  So why take that risk?  2-Factor Authentication (2FA) utilizes one-time passwords that can be accessed via email or text, for fulfilling log-in requirements adding a second layer of security to maintain the integrity of your data.

Why should you deploy 2FA?

• Standalone passwords can be vulnerable to hackers. Two-factor au­thentication (2FA) adds a second security layer to recon­firm your identity.
• When sharing or accessing protected health information (PHI) with outside networks, using two-factor authenti­cation is essential.
• 2FA makes working remotely more secure.
• Added security measures reduce the probability of a hacker gaining access to data, resulting in fewer security breaches.

In order for 2FA to work, users must have a valid phone number and/or email address configured.  Phone number must be able to receive SMS messages keeping in mind that user may be billed by their carrier for receiving SMS.  Email address must be accessible from the location users are likely to log in.

2FA is not perfect and will not hold all the hackers at bay, but it definitely improves the security of PHI.  Staff still must handle paper, portable devices and PHI data responsibly.  2FA remembers devices previously used, so for example using the same computer at work would not require 2FA each time you log in.