ONC: Less than half of hospitals support two-factor authentication

A new data brief from the Office of the National Coordinator (ONC) reveals that less than half of U.S. hospitals support an infrastructure capable of two-factor authentication.

Just over one-third (35 percent) of critical access hospitals and 40 percent of small rural hospitals report the lowest levels of capability.

Two-factor authentication means users are required to provide another form of identification beyond username and password to access protected information. That can include a PIN and fingerprint or voice recognition. It's meant to be a low-cost, effective way to meet HIPAA standards, but not enough hospitals have implemented it into their cybersecurity plans, ONC said.

"As electronic health information becomes more widely available, proper security measures must be implemented to ensure the information is only accessible to those with the rights to access it," according to the report.

Hospital support for two-factor authentication has increased by 53 percent since 2010, the report said, but adoption levels are still very low, especially considering the increase in cybersecurity threats and data breaches in healthcare. Only half of small urban hospitals have two-factor authentication capability, while 59 percent of medium and 63 percent of large institutions were capable. Reporting of two-factor authentication is much higher in these larger provider systems.

"HIPAA offers two-factor authentication as a possible method to provide security to electronically protected health information," according to the report, requiring "covered entities to verify that a person seeking access to electronic protected health information has authorization."

When broken down by state, Ohio ranked at the top with 93 percent adoption, followed Vermont at 83 percent and Delaware at 81 percent. At the other end is Montana with 19 percent, North Dakota with 23 percent, and Maine with 26 percent.