Person or Entity Authentication
Description
Implement procedures to verify that a person seeking access to ePHI is the person claimed.
⚠️ Risk Impact
Without strong authentication, unauthorized persons can access patient records.
🔧 Remediation
Enforce MFA for all users accessing ePHI systems.
💀 Real-World Attack Scenario
A phishing email impersonating the hospital IT department captured credentials from 23 clinical staff. Without MFA, attackers accessed the EHR system and downloaded 180,000 patient records including treatment histories, lab results, and insurance information. The breach required notification of all affected patients under HIPAA.
💰 Cost of Non-Compliance
HHS reports that 90% of healthcare breaches begin with compromised credentials. Average healthcare breach cost: $10.93M (highest of any industry). Patient notification costs alone: $2-5 per record x number of affected patients.
📋 Audit Questions
- 1.Is MFA enforced for ALL users accessing ePHI?
- 2.What authentication methods are accepted?
- 3.How are authentication failures monitored?
- 4.Is biometric authentication used for high-risk systems?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔MFA for cloud access but not for EHR/clinical application logins
- ⛔SMS-based MFA that is vulnerable to SIM swapping
- ⛔Not requiring re-authentication for sensitive operations within a session
📈 Business Value
Healthcare MFA prevents 99.9% of credential-based attacks on patient data. It's the most cost-effective defense against the industry's #1 breach vector.
⏱️ Effort Estimate
4-8 hours to deploy and configure MFA across all ePHI systems
EchelonGraph monitors MFA enforcement across all cloud accounts
🔗 Cross-Framework References
Automate HIPAA 164.312(d) compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →