We often associate data breaches with nefarious hackers and shady dealings. But, according to redpixie.com, about 20% of all data leaks are due to human error from employees within the organization. Last month a stunning example of this kind of gross negligence occurred. Deep Root, a data-analytics firm contracted by the Republican National Committee published internal documents on a publicly accessible Amazon server due to misconfigured security access settings.
Now here’s the rub; those internal documents contained sensitive personal information on every registered voter in the United States, exposing the personal data of the majority of the American public. In addition to important information including home addresses, birthdates, and phone numbers, the records also include information about political opinions and affiliations; data which many other countries classify as protected information.
While the Deep Root data leak was political in nature, this is an issue that affects healthcare providers and other covered entities even more than it affects the agents of politics. The HIPAA security guidelines concerning identity verification (45 C.F.R. § 164.514(h)) requires covered entities to “Verify the identity of a person requesting protected health information.”
Currently, most organizations in compliance with HIPAA regulations use names, addresses, and birth dates to verify the identity of patients over the phone. This technique is called single factor authentication. Single factor authentication means that the only thing used to verify someone’s identity is knowledge factors. The US government’s Privacy Technical Assistance Center (PTAC) defines a knowledge factor as: “knowledge of some unique data associated with the party whose identity is being authenticated.” Names, address, and birth dates used to be enough verify a patient’s identity. However, after the Deep Root leak alone, that data set has been compromised for about ⅔ of the entire US population. When you factor in other recent leaks, 3 out of 4 people currently reading this article have compromised sensitive personal information. Anyone can easily use this compromised information to assume identities and violate patient information privacy.
Covered entities need to start looking beyond these common knowledge factors in order to avoid identity theft and stay in compliance with HIPAA regulations. Here are some examples of more robust knowledge factors, from most to least secure:
Complex alphanumeric password
Personal Identification Number (PIN)
Personal, unresearchable security questions (e.g. What was your first pet’s name)
Last four digits of a social security number
Though many settle for single factor authentication, the optimal way to verify identity is through a system called two factor authentication. This type of authentication requires both a knowledge factor and an ownership factor. The PTAC defines an ownership factor as: “the possession of something uniquely associated with the party whose identity is being authenticated.” The most common and efficient way to obtain this added layer of protection is through the patient’s cell phone. When a patient calls with a request that requires authentication, a unique code is sent to their smartphone. They must provide this code in addition to the knowledge factor requested. While this may seem like a huge burden to implement, many options exist. The offerings range from large organizations like AT&T to free DIY options on Github.
Two factor authentication has become the standard across many industries and, frankly, the healthcare industry is falling behind. Robust authentication measures should be implemented in systems that contain PHI as quickly as possible. If it seems like two factor authentication is outside of your organization’s current capability, ensure that at the very least you are no longer using birthday and address to confirm identity. The ever flowing font of human idiocy has ensured that those options are lost to us forever.
Personal information of 2/3rds of the American population was leaked by a GOP analytics-firm.
Birthday and address are no longer viable options to confirm identities.
Two factor authentication should be implemented where possible.