HIPAA Blog

[ Thursday, October 27, 2005 ]

 

Deter potential wrongful access: If your operations are large and geographically dispersed, you probably have the ability for offsite users to link in, usually via password protection. But you also will have calls from offsite users who don't have or forgot their password (especially if they're only occasionally accessing the home network). That's a good way for unauthorized users to seek to get improper access, by pretending to be an offsite worker who forgot a password. This is more of a problem for financial institutions than healthcare institutions (as I've said before, most healthcare information isn't that valuable, but personal and financial information -- social security numbers, account numbers, and the like -- is), but to the exten you have that type of valuable information, the risk is still there.

Medical NewsWire's recent email blast had a good post on this, which I've cut and pasted below. Check it out, and think about those issues. There are other instances where you want to "authenticate" the identity of a seeker of information, whether they are posing as a remote staff member or a referring physician's office. These are some good tips.



Shoddy authentication procedures could allow data thieves to make off with your patients' data -- especially when providing password support to offsite employees. Provide your tech team with these pointers to ensure they properly verify all users before handing out sensitive information.

Authenticate All Remote Users

Your technology staff member may recognize a remote user's name or voice and be tempted to skip over your authentication procedures. But you must impress upon all staffers the importance of verifying each and every caller before giving them any password information, says Frank Ruelas, compliance officer with Gila River Health System in Sacaton, AZ.

Experts offer these field-tested examples as possible security questions for your staff members:

* Question #1: Can you provide two types of identification?

"We used to ask for the last four digits of users' Social Security numbers," says Michael Gagnon, director of infrastructure and security officer for Fletcher Allen Health Care in Burlington, VT.

With the increased focus on security, Gagnon says he now assigns his users a Personal Identification Number to use instead of the Social Security number. You should ask for at least two forms of identification to make it more difficult for data thieves to hack into your system.

Try these other methods of identification: Hire date, home telephone number, number of years employed or badge number. Good idea: Note in your policy what type of ID you'll require so that remote users can be prepared with answers.

Watch out: Crooks can easily obtain employee information through social engineering, Gagnon warns. If your user produced two pieces of commonly hijacked information -- such as a Social Security number and a department telephone number -- you should request a further method of authentication.

* Question #2: How many clinicians are on schedule today?

If you have any doubts about a caller's authenticity, ask them a site-specific question, Gagnon suggests. The best question? "A tricky one, such as 'How is Dr. O'Brien doing?' when there is no Dr. O'Brien at that site," he offers. You can also ask about a personnel type if you know there is no need for those staffers at the site -- such as asking someone claiming to be a home user about lab techs or asking a home health worker about visiting physicians.

* Question #3: What is the name of two documents you worked on yesterday?

You can also ask the caller to pinpoint a file they modified or an e-mail they sent in the past 24 hours, Ruelas advises. "It's rare that a hacker would notice these types of small details," he explains.

Call Users Back With Answers

If the remote user correctly answers your authentication questions, your tech staffer can reset their passwords and share the new information with her. But don't do it all in one phone call. "Contact the user through a telephone number you can verify, such as her cell phone or pager number," Ruelas recommends.

Important: Configure your system to accept the temporary password only once. Then set up a continuous loop that forces the users to create a unique, strong password that no one else knows.

The Bottom Line: Your offsite employees will inevitably forget their passwords or enter them incorrectly enough times to cause your system to lock down their accounts. By coaching your staffers on how to handle legitimate callers, you'll stand a better chance of weeding out any criminals trying to steal your patients' PHI.

Jeff [10:37 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template