Hospital Use of Two-Factor Authentication Solutions

The results of a study on the use of two-factor authentication solutions by non-federal acute care hospitals have recently been published by the Office of the National Coordinator for Health Information Technology. The analysis of ePHI security protection trends showed that just under half of hospitals are now using two-factor authentication solutions to ensure the electronic Protected Health Information (ePHI) of patients is appropriately safeguarded.

53% Increase in Use of Two-Factor Authentication Solutions by Hospitals in the Past 5 Years

The research study analyzed trends over a five-year period from 2010 to 2014. During that time, the implementation of two-factor authentication solutions increased by 53%. Back in 2010, this important security control had only been adopted by 32% of non-federal acute care hospitals. However, the number of hospitals adopting this security measure has been steadily increasing. In 2011 the figure stood at 35%, in 2012 it had risen to 40%, and by 2013 it had reached 44%.

The study shows a high degree of variation in adoption levels from state to state, ranging from 19% of hospitals using the security measure (Montana) to 93% (Ohio). Vermont, Delaware, Alabama, Florida, Virginia, Colorado, Utah and Wyoming, all had a good percentage of hospitals using the security control. All of those states had over 60% of non-federal acute care hospitals having two-factor authentication solutions in place.

Arkansas, West Virginia, Indiana, New Mexico, Louisiana, Kansas, Kentucky, South Dakota, North Dakota, Alaska, Washington, and Montana did not fare so well. All of those states had lower than 40% adoption by hospitals.

HIPAA Regulations are intended only as a data security baseline. The requirements laid down in the legislation must be met but preferably exceeded. HIPAA regulations do not demand that covered entities use two-factor authentication solutions to keep the ePHI stored in their EHRs secure, as there are other controls that can be implemented to make sure that only authorized individuals are able to gain access to patient health data. In fact, the majority of healthcare providers use other methods to secure their records.

Over the course of the past two years, the number of data privacy incidents suffered by hospitals has increased. Employees are frequently discovered to have inappropriately accessed the ePHI of patients, and data theft continues to be a major problem for HIPAA-covered entities. Hacking has increased, and hospitals now have to implement security protections to deal with a much broader attack surface, while the threat landscape is constantly changing. Keeping the “crown jewels” safe is therefore of paramount importance. Two-factor authentication solutions can help in this regard.

Unfortunately, healthcare providers are having to cope with an increase in the cost of healthcare provision and budgets are stretched. The funds available for IT and data security are therefore limited. Budgetary restrictions are felt more by smaller healthcare providers who are less likely to be able to commit major funds to improving data security.

The results of the study highlight this clearly. Small healthcare facilities, especially small rural hospitals, have not implemented two-factor authentication as much as large urban hospitals. Only 40% of small rural hospitals have two-factor authentication capabilities according to the study. Only 35% of critical access facilities use this security measure. 63% of larger hospitals in urban locations are now using two-factor authentication solutions to better safeguard their critical data.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of