Make some new priorities related to cyberattacks and hacking. You may be getting a false sense of HIPAA security if you are requiring only passwords to access your agency’s private data. Healthcare has become a frequent victim to intimidation from digital criminals, and though completely breach-proofing your agency is not possible, you can greatly cut down on the likelihood of an infraction. Putting a plan in place to verify users on your agency’s devices is a good place to start. What is Authentication? According to the HHS Office for Civil Rights, “authentication is a process used to verify whether someone or something is who or what it purports to be in the electronic context, while keeping unauthorized people or programs from gaining access to information,” an OCR report from October 2016 says (see the full report at www.hhs.gov/sites/default/files/november-2016-cyber-newsletter.pdf). As HIPAA violations continue to pile up, wreaking havoc on the healthcare industry, it’s never been more critical to verify staff, set up passwords, and put plans into place. In fact, the HIPAA Security rule requires that “reasonable and appropriate authentication procedures” be initiated to protect the ePHI of patients, and if for one reason or another, your agency is privy to a breach, you’ll be held accountable for your lack of authentication guidelines. Risk analysis: Assessing your agency risk and where data is lost is the initial step toward eradicating ePHI loss. For starters, a quarterly, in-house audit of all devices and software helps stave off digital mayhem. It is wise to engage the services of a certified health IT firm or law group to do a risk analysis of your systems, too. Hackers are a step ahead of private providers, and providers easily fall victim to them, says attorney Clinton Mikel of The Health Law Partners in Southfield, Mich. “If the OCR investigates and finds over 500 individuals were affected, the first thing they will look for is the security risk analysis.” Know These Two Types Of Verification Single-factor and multi-factor authentication are two types of password control, OCR suggests. Once you complete a risk analysis, the potential for cyberattack is easily assessed and you can go about organizing a plan for passwords and access. Single-factor authentication refers to the requirement of only one set of credentials for access — like a password associated with something in the office — to a device, network, or system. This type of verification is considered weaker than multi-factor authentication, which requires two or more things to allow a covered entity access. For example, staff might need a keycard to enter the office, fingerprint verification to turn devices on, and a password to log into the system. When putting together your HIPAA compliance plan, consider these authentication ideas to increase ePHI security: Tip: Before setting up a plan or even hiring a certified health IT expert, take a look at the ONC’s helpful Security Risk Assessment Tool. The tool gives advice, breaks down HIPAA compliance for novices, and offers information on how to audit your practice safety and security measures. See the tool at www.healthit.gov/providersprofessionals/security-risk-assessment-tool.