Although the Health Insurance Portability and Accountability Act was created in 1996, it was not always intended to ensure the privacy of electronic medical records. HIPAA was originally created for the privacy of paper health records, prior to HIPAA no security standard was implemented to protect patient privacy. As time moves on, so does technology, and in the last decade, recent advances in healthcare industry technology created a need for a more secure way to handle medical records.

With electronic health records becoming more widely available at cost-effective prices, healthcare facilities have turned to electronic health records. Additionally, with government regulation mandating electronic health records, the Security Standards for the Protection of Electronic Protected Health Information, also known as the “Security Rule,” were created and enforced. This new set of regulations was created to ensure the privacy of patient medical information while it is stored or transmitted in its electronic form.

Two-factor authentication, a process in which two separate authentication factors are used to identify a user, was not originally a required part of the security process established in the HIPAA security rule. Over the years, this form of authentication has become a HIPAA compliance requirement.

Mentioned in an October 2003 PDF published by the National Institute of Standards and Technology where multi-factor authentication was mentioned. The document entitled “Guide to Selecting Information Technology Security Products” stated what authentication was, but did not necessarily require the implementation of this type of security. Obviously, since electronic medical records are so new and not used in all facilities, the need for specific authentication was not created or enforced.

Then, in April 2006, NIST published a new document called “Electronic Authentication Guideline” that established 4 levels of security with some requiring a strong authentication process. The use of two factor authentication was mentioned in the 3rd level which establishes the need for a token to be required. This token can be a software/hardware token or a one-time password. With more hospitals accepting EHRs, the need for more stringent safety guidelines arose.

Although there were now regulations establishing the requirement for two-factor authentication, they were not clear and did not state the need for specific IT security controls. After an audit by the Office of the Inspector General found a need for these IT security controls, the old NIST document was revised. The “Electronic Authentication Guideline” drafted in June 2011 is a revised publication that more clearly states the need for specific two-factor authentication, including acceptable token types.

We can see the growing need for security in the healthcare industry, although the need to regulate compliance was not always necessary, however, with everything changing and government mandates in place, compliance guidelines have been improving. It doesn’t seem to be over either, with a recent NIST draft created in May 2011 titled “Cloud Computing Recommendations” vaguely talking about multi-factor authentication for cloud access. This shows that as technology advances and more ways to store/access data are created, the need for regulation arises. This is especially true as healthcare facilities increasingly accept and use this new technology.