We often associate data breaches with nefarious hackers and shady dealings. In reality, however, breaches aren’t so clear cut.
About 20% of all data leaks are due to human error from employees within the organization. This sort of mistake came to the spotlight in 2017 when a GOP firm accidentally leaked personal information of nearly 200 American voters.
The GOP Data Leak
Deep Root, a data-analytics firm contracted by the Republican National Committee published internal documents on a publicly accessible Amazon server due to misconfigured security access settings.
Those internal documents contained sensitive personal information on every registered voter in the United States, exposing the personal data of the majority of the American public.
In addition to important information including home addresses, birthdates, and phone numbers, the records also include information about political opinions and affiliations; data which many other countries classify as protected information.
The GOP Data Leak and HIPAA
While the Deep Root data leak was political in nature, this is an issue that affects healthcare providers and other covered entities even more than it affects the agents of politics.
The HIPAA security guidelines concerning identity verification (45 C.F.R. § 164.514(h)) requires covered entities to “verify the identity of a person requesting protected health information.”
Currently, most organizations in compliance with HIPAA regulations use names, addresses, and birth dates to verify the identity of patients over the phone. This technique is called single factor authentication. Single factor authentication means that the only thing used to verify someone’s identity is a single type of personal knowledge or information.
However, after the GOP data leak alone, this base layer of personal information has been compromised for about two-thirds of the entire US population.
When you factor in other recent leaks, 3 out of 4 people currently reading this article have compromised sensitive personal information. Anyone can easily use this compromised information to assume identities and violate patient information privacy
What We Can Learn from the GOP Data Leak
Covered entities need to start looking beyond authentication with basic personal data in order to avoid identity theft and stay in compliance with HIPAA regulations.
Here are some examples of more robust types of single factor authentication, from most to least secure:
- Complex alphanumeric password
- Personal Identification Number (PIN)
- Personal, unresearchable security questions (e.g. What was your first pet’s name)
- Last four digits of a social security number
Two-Factor Authentication
Though many settle for single factor authentication, the optimal way to verify identity is through a system called two-factor authentication (2FA).
The most common and efficient way to obtain this added layer of protection is through the patient’s cell phone. When a patient calls with a request that requires authentication, a unique code is sent to their smartphone. They must provide this code in addition to the knowledge factor requested.
While this may seem like a huge burden to implement, many options exist. The offerings range from large organizations like AT&T to free DIY options on Github.
Two-factor authentication has become the standard across many industries and, frankly, the healthcare industry is falling behind. Robust authentication measures should be implemented in systems that contain PHI as quickly as possible.
If it seems like two-factor authentication is outside of your organization’s current capability, ensure that at the very least you are no longer using birthday and address to confirm identity.
Takeaways
- Personal information of two-thirds of the American population was leaked by a GOP analytics-firm.
- Birthday, addresses, and basic personal information are no longer viable options to confirm identities.
- Two factor authentication should be implemented where possible.
Do you want to learn more about two-factor authentication or general security for your healthcare organization? We’re here to help!
Give Gazelle Consulting a call at (503) 389-5666 or send us a message!
