In our last post, we discussed the growing role of two-factor authentication (2FA) in university security as more and more federal regulations are advocating or flat-out mandating its implementation.
While part one looked at PCI DSS and NIST SP-800-171, today’s post will delve into two more regulations that affect higher education institutions—HIPAA and GLBA—and what you need to know when it comes to their authentication requirements and compliance.
We’ll also talk about ways you can get started with 2FA if you haven’t already implemented this technology.
HIPAA and the HITECH Act
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It was written to protect the privacy of patient data and to safeguard sensitive medical information. HIPAA dictates who can access healthcare records, and it establishes a set of patient standards for protected health information and medical records. These standards detail how healthcare providers should collect and store patient information (electronically or otherwise).
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of the American Recovery and Reinvestment Act in 2009. This legislation’s overarching goal is to promote the adoption and use of health information technology. However, Subtitle D of the HITECH Act deals with the privacy and security ramifications of transmitting health information electronically. Its provisions strengthen the civil and criminal enforcement of HIPAA rules. The HITECH Act introduced mandatory federal security breach reporting requirements and expanded penalties for non-compliance.
What are the consequences if you don’t comply with HIPAA? There are steep fines—you could pay anywhere from $100 to $50,000 per record or violation. The maximum penalty is a staggering $1.5 million per year, per violation. You can be fined for non-compliance even if there’s no breach of electronic protected health information (EPHI).
Where FERPA Ends and HIPAA Begins
You may be wondering when HIPAA applies to colleges and universities, because there is overlap with FERPA (Family Educational Rights and Privacy Act). Both of these pieces of legislation are designed to protect individuals’ information and prevent anyone without authorization from accessing that data.
FERPA applies to most institutions of higher education. Because of this, student records from campus health clinics are treated as education records or treatment records under FERPA. Both of those categories are excluded from coverage under the HIPAA Privacy Rule, even if the school is covered by HIPAA. However, if a university has a hospital, these student health records typically fall under HIPAA.
The Connection Between 2FA and HIPAA
In HIPAA Security Series #2 - Administrative Safeguards, Standard 164.308(a)(4) — Information Access Management — doesn’t specifically mandate 2FA. That being said, an organization that falls under HIPAA rules is responsible for protecting EPHI from unauthorized access, and the Information Access Management standard includes access authorization. The Access Authorization implementation specification states that an organization must have a management system in place to authorize workforce members that have access to EPHI via a workstation, transaction, program, process, or other mechanism.
HIPAA’s Information Access Management standard also includes an Access Establishment and Modification specification, which states that an organization must implement policies and procedures to establish, document, review, and modify user access rights to ensure that the appropriate level of access is granted at all times.
Both the Access Authorization and Access Establishment and Modification implementation specifications are deemed “addressable,” meaning that organizations covered by HIPAA must take reasonable and appropriate measures to fulfill these requirements.
Additionally, in HIPAA Security Series #4 - Technical Safeguards, standard 164.312(d) — Person or Entity Authentication — requires organizations to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” The standard outlines several ways an organization can do this:
- Require something known only to that individual, such as a password or PIN.
- Require something that individual possesses, such as a smart card, a token, or a key.
- Require something unique to the individual, such as a biometric. Examples of biometrics include fingerprints, voice patterns, facial patterns, or iris patterns.
While this provision acknowledges that “the password is the most common way to obtain authentication to an information system,” it goes on to state that covered entities should consider “what level or type of authentication is reasonable and appropriate for each information system with EPHI. and therefore, “may want to explore other authentication methods.”
The Graham-Leach-Bliley Act (GLBA)
The GLBA, also known as the Financial Modernization Act of 1999, regulates how financial institutions that offer products and services—such as loans, financial or investment advice, or insurance—protect consumers’ personal information. GBLA mandates that institutions explain their information-sharing practices to customers, as well as how they safeguard sensitive data.
When you think of financial institutions, the first to come to mind might be banks or credit card companies. However, higher education institutions also handle students’ financial information, meaning that GLBA applies to them, too.
There are some harsh penalties for non-compliance with the GLBA. Institutions can face fines of up to $100,000 per incident. Individual fines for officers and directors are $10,000 per person and imprisonment of up to five years.
Complying with the Privacy and Safeguards Rules
GLBA requires that institutions comply with two important rules: the Financial Privacy Rule and the Safeguards Rule.
The Financial Privacy Rule states that you have to provide a notice to consumers explaining your privacy policies and practices.
The Safeguards Rule requires institutions to implement and maintain a comprehensive written information security program. Private information has to be secured so that unauthorized individuals can’t access it. It also mandates that user activity must be tracked, including any attempts to access protected records.
FFIEC Guidelines for 2FA
While the GLBA doesn’t specifically dictate that you implement 2FA, the Federal Financial Institutions Examination Council (FFIEC), which is responsible for providing guidelines for evaluating financial institutions for GLBA regulations compliance, strongly advocates implementing 2FA. The FFIEC considers single-factor authentication insecure for transactions involving access to customer information or the movement of funds to other parties.
The FFIEC offers guidance on how to use 2FA to strengthen the security of systems. This guidance states that authentication methods used to verify online customers should be appropriate to the risk level of a given situation: “Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”
How Can You Get Started with 2FA?
Regulations relating to institutions of higher education all have different requirements. Some of them require 2FA and promise steep fines for non-compliance, while others have authentication guidelines without mandating specific 2FA requirements.
Regardless, the trend is moving toward more stringent authentication, meaning that implementing 2FA may no longer be optional. Clearly, 2FA is a best practice and is critical for security and compliance in higher education.
For more information on implementing 2FA at colleges and universities, check out our blog post on MFA in higher ed, our post on how higher ed institutions can address cybersecurity threats, and the first blog post of our MFA 101 series.