June 2023 HHS OCR Cybersecurity Newsletter

The Office of Health and Human Services Office of Civil Rights published their Quarterly Cybersecurity newsletter discussing HIPAA and Cybersecurity Authentication. Below is the newsletter in its entirety as well as resources.

OCR HIPAA Cybersecurity Newsletter

Strong authentication processes are often analogized to a locked door in the cyber world. Weak or non-existent authentication processes leave your digital door open to intrusion by malicious actors and increase the likelihood of potential compromise of sensitive information – including electronic protected health information (ePHI).1 Robust authentication serves as the first line of defense against malicious intrusions and attacks, yet a recent analysis of cyber breaches reported that 86% of attacks to access an organization’s Internet-facing systems (e.g., web servers, email servers) used stolen or compromised credentials.2 Effective authentication ensures that only authorized individuals or entities are permitted access to an organization’s information systems, resources, and data. This newsletter focuses on how to lock your cyber door to best prevent and deter cyber-attacks.

Poor authentication practices have been identified as contributing to many recent high profile cyber-attacks and data breaches. In 2021, a major food company that processes approximately 20% of the United States’ meat supply temporarily shut down several plants in response to a ransomware attack where the perpetrator gained initial access by compromising an old administrator account protected with only a “weak password.”3 A major fuel pipeline was also shut down in 2021 due to a ransomware attack that “started with a single stolen password linked to an old user profile.”4

Stronger authentication processes can impede or prevent many cyber-attacks – especially attacks that rely on the use of weak or stolen passwords.

What is Authentication?
Authentication is “the corroboration that a person is the one claimed.”5 This corroboration of one’s identity is the prerequisite to allow access to resources (e.g., computer systems, data) to only those authorized for such access. The classic model of authentication involves the presentation of credentials which typically includes an identifier (e.g., username) and one or more authentication factors. Historically, three factors form the cornerstones of authentication:6

  • Something you know (e.g., password, personal identification number (PIN))
  • Something you have (e.g., smart ID card, security token)
  • Something you are (e.g., fingerprint, facial recognition, other biometric data)

Single factor authentication requires only one of the factors listed above, usually a password (i.e., something you know). Multi-factor authentication requires the use of two or more distinct factors. Two-factor authentication is multi-factor authentication where two distinct factors are required. Authentication that requires a user to present multiple instances of the same factor is not multi-factor authentication. For example, an authentication process requiring a password and PIN is not multi-factor authentication because both factors are “something you know”.7

Multi-factor authentication makes it more difficult for an attacker to gain unauthorized access to information systems, even if an initial factor such as a password or PIN is compromised, because the requirement of one or more additional distinct factors reduces the likelihood that an attacker will be successful. Not all multi-factor authentication solutions are equally effective, and some may be more prone to compromise than others.

For example, the Cybersecurity and Infrastructure Security Agency (CISA) recommends implementing phishing resistant multi-factor authentication.8 Phishing is a type of online scam that entices users to share private information using deceitful or misleading tactics.9 Phishing resistant multi-factor authentication is designed to detect and prevent disclosures of authentication data to a website or application masquerading as a legitimate system.10  An example of phishing resistant multi-factor authentication would require a password or user biometric data coupled with a phishing resistant authenticator such as a Personal Identity Verification (PIV) card11 or other cryptographic hardware or software based token authenticator (e.g.,  Fast Identity Online (FIDO) with WebAuthn authenticator).12 The layered defense of a properly implemented multi-factor authentication solution is stronger than single factor authentication such as relying on a password alone.

Cyber-attacks often begin with a compromised password that is used to gain initial access to an electronic information system. A password can be compromised in many ways, for example, by a software account using a default password that is well-known and circulating on the internet, as a result of a successful phishing attack, or due to a prior breach. Once inside, attackers can exploit known, unpatched vulnerabilities or inadequate security configurations to escalate privileges and move freely within an organization’s network seeking and accessing sensitive data – including ePHI.

Many organizations whose mission involves increasing the cybersecurity posture of their industry or the nation have extolled the benefits of multi-factor authentication. The National Institute of Standards and Technology (NIST) advocates for increased use of multi-factor authentication by small businesses stating that “it is necessary to add more layers of authentication beyond a password to ensure that accounts remain secured.”13 CISA recommends that all organizations “[v]alidate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication” as part of its “Shields Up” guidance.14  The U.S. Department of Health & Human Services (HHS) 405(d) Task Group15 recognized the importance of multi-factor authentication by encouraging its use for remote access to systems and to email as best practices in its suite of publications in April 2023, Health Industry Cybersecurity Practices161718.

Recently, CISA published the results of a red team exercise19 it undertook. Although the red team was able to gain access to the assessed organization’s computer systems and move laterally within its network, there were instances where the assessed organization’s implementation of multi-factor authentication impeded further penetration by the red team (“However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS [sensitive business system], and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS. . . . Using a similar tunnel setup described above, the team attempted to log into SBS 2. However, a prompt for a multi-factor authentication passcode blocked this attempt.”)20 Unsurprisingly, one of CISA’s recommendations following the exercise is for organizations to “[e]nforce phishing-resistant multi-factor authentication to the greatest extent possible.”21

Authentication and HIPAA
The HIPAA Security Rule requires HIPAA covered entities and business associates (“regulated entities”) to implement authentication procedures “to verify that a person or entity seeking access to electronic protected health information is the one claimed.”22 Even though regulated entities must ensure the confidentiality, integrity, and availability of all of their ePHI,23 non-compliance with the Security Rule’s authentication standard continues to leave regulated entities vulnerable to successful cyber-attacks and breaches of ePHI. The HHS Office for Civil Rights (OCR) recently announced a resolution agreement with Banner Health to resolve issues of potential HIPAA non-compliance, including “failure to implement an authentication process to safeguard its electronic protected health information”, that included payment of $1.25M and implementation of a corrective action plan to be monitored by OCR for two years.24

In keeping with the HIPAA Security Rule’s design – PDF to be flexible, scalable, and technology neutral, the authentication standard does not prescribe the implementation of specific authentication solutions. Instead, a regulated entity’s risk analysis should inform its selection and implementation of authentication solutions that sufficiently reduce the risks to the confidentiality, integrity, and availability of ePHI. Different touchpoints for authentication throughout a regulated entity’s organization may present different levels of risk, thus requiring the implementation of authentication solutions appropriate to sufficiently reduce risk at those various touchpoints. For example, remote access to a regulated entity’s information systems and ePHI may present a greater risk than access in person, thus stronger authentication processes (e.g., multi-factor authentication) may be necessary when permitting or expanding remote access to reduce such risks sufficiently. CISA recommends that organizations consider implementing multi-factor authentication solutions on their “Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs).”25

It is not only remote access that may present greater risks to ePHI, however. Privileged accounts (e.g., administrator, root, system administrator, or any account with elevated access rights) or tools that manage privileged access (e.g., Privileged Access Management tools) provide elevated access to authorized users that could override existing access controls protecting ePHI, and thus present risks to ePHI if accessed by unauthorized individuals. Similarly, tools that support a regulated entity’s technology infrastructure, such as virtual machine managers or storage area network tools, may present additional risks to the confidentiality, integrity, and availability of ePHI if accessed by unauthorized individuals. Authentication processes controlling access to such accounts and tools should be properly assessed to ensure that the regulated entity’s implemented authentication procedures are sufficient to reduce risk.

Further, a regulated entity’s HIPAA obligations regarding authentication do not end with its implementation of authentication procedures. Regulated entities maintain an ongoing obligation to review and modify the security measures implemented under the Security Rule – including the person or entity authentication standard – to ensure implemented security measures continue to provide reasonable and appropriate protection of ePHI.26 

HIPAA regulated entities are required to implement authentication solutions of sufficient strength to ensure the confidentiality, integrity, and availability of their ePHI. A regulated entity’s risk analysis should guide its implementation of authentication solutions to ensure that ePHI is appropriately protected. As a best practice, regulated entities should consider implementing multi-factor authentication solutions, including phishing-resistant multi-factor authentication, where appropriate to improve the security of ePHI and to best protect their information systems from cyber-attacks.


* This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion.


1  See 45 CFR 160.103 (definition of “Electronic Protected Health Information”).

2  Verizon. 2023 Data Breach Investigations Report. (June 2023, p. 35). Available at https://www.researchgate.net/publication/371445421_DBIR_2023_Data_Breach_Investigations_Report_10K_20K_30K_About_the_cover .  

3  United States House of Representatives, Committee on Oversight and Reform, Supplemental Memo on Committee’s Investigation into Ransomware. (November 2021, p. 3). Available at https://docs.house.gov/meetings/GO/GO00/20211116/114235/HHRG-117-GO00-20211116-SD005.pdf – PDF.

4  Id.

5  See 45 CFR 164.304 (definition of “Authentication”).

6  National Institute of Standards and Technology (NIST). Special Publication 800-63-4: Digital Identity Guidelines (Initial Public Draft).  (December 2022, p. 17). Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.ipd.pdf – PDF.

7  Id.

8  Cybersecurity and Infrastructure Security Agency (CISA), Implementing Phishing-Resistant MFA. (October 2022). Available at https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf – PDF.

9  CISA, Malware, Phishing, and Ransomware, available at https://www.cisa.gov/topics/cyber-threats-and-advisories/malware-phishing-and-ransomware.

10  Office of Mgmt. & Budget, Exec. Office of the President, OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (January 2022, p. 5).  Available at https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf – PDF.

11  “The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.” See https://fidoalliance.org/how-fido-works/ .  See also  https://www.nist.gov/identity-access-management/personal-identity-verification-piv.

12  NIST. NIST Update: Multi-Factor Authentication and SP 800-63 Digital Identity Guidelines (February 2022). Available at https://csrc.nist.gov/csrc/media/Presentations/2022/multi-factor-authentication-and-sp-800-63-digital/images-media/Federal_Cybersecurity_and_Privacy_Forum_15Feb2022_NIST_Update_Multi-Factor_Authentication_and_SP800-63_Digital_Identity_%20Guidelines.pdf – PDF.  

13  NIST. SMALL BUSINESS CYBERSECURITY CORNER: What is Multi-Factor Authentication? (January 2022). Available at https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication.

14  CISA. Shields Up: Guidance for Organizations. (February 2022). Available at https://www.cisa.gov/shields-guidance-organizations.

15  The U.S. Department of Health & Human Services 405(d) Task Group is a collaborative effort that includes members from the U.S. Department of Health and Human Services (HHS), Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), Health Sector Coordinating Council (HSCC), and cybersecurity and healthcare experts.

16  HHS 405(d) Task Group. Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations. (April 2023, pp. 10,15). Available at https://405d.hhs.gov/Documents/tech-vol1-508.pdf – PDF.

17  HHS 405(d) Task Group. Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations. (April 2023, pp. 16,41). Retrieved from https://405d.hhs.gov/Documents/tech-vol2-508.pdf – PDF.

18  HHS 405(d) Task Group. Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. (April 2023). Available at https://405d.hhs.gov/Documents/HICP-Main-508.pdf – PDF.

19  “An exercise, reflecting real-world conditions that is conducted as a simulated adversarial attempt to compromise organizational missions or business processes and to provide a comprehensive assessment of the security capabilities of an organization and its systems.” See NIST Information Technology Laboratory, Computer Security Resource Center, Glossary, available at https://csrc.nist.gov/glossary/term/red_team_exercise.

20  CISA. CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks. (February 2023). Available at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a.

21  Id.

22  45 CFR 164.312(d): Standard: Person or entity authentication.

23  See 45 CFR 164.306(a)(1). HIPAA covered entities and business associates must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.

24  HHS OCR. HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking. (February 2023). Available at https://www.hhs.gov/about/news/2023/02/02/hhs-office-for-civil-rights-settles-hipaa-investigation-with-arizona-hospital-system.html.

25  CISA. Multi-Factor Authentication Fact Sheet. (January 2022). Available at https://www.cisa.gov/sites/default/files/publications/MFA-Fact-Sheet-Jan22-508.pdf – PDF.

26  See 45 CFR 164.306(e): Maintenance.”

Leave a Reply