As a method of authentication, passkeys exceed HIPAA requirements, and this is great news for both covered entities (CEs) and business associates (BAs) looking to add an extra layer of enterprise security to their digital communications. The Department of Health and Human Services lists three ways to verify a user’s identity. Each user must sign in with:
• a password or PIN only known to the user
• a smart card or key
• a fingerprint or facial image
Additionally, one of the Access Controls Security Standard (§164.312(a)) implementation specifications requires CEs assign a unique name and/or number for identification and tracking. Verification doesn’t need to be password-based - usernames with biometric authentication satisfy this requirement. Passkeys are far more secure than passwords because they require individual authentication for each user in every application: each challenge that the server sends is a new challenge, thus making the encryption unique every time a user signs in. The HIPAA Security Rule password requirements are based on NIST guidelines, but it’s acceptable to substitute alternative controls equal to or greater than the HIPAA requirement. Passkeys are a more secure method of authentication and exceed the HIPAA control.
Passkeys have more or less, quietly, become available on all platforms, and users are adopting them. They create a better user login experience, and they significantly enhance the security of the PBX. And any browser or OS is already prepared for passkey use.
Any organization working in healthcare has the responsibility to be HIPAA compliant, including CEs and BAs. We offer a feature-rich cloud phone system that has been HIPAA-compliant since 2020. We give you a full suite of robust business telephony tools, including auto attendant, SMS, paging, separation of personal and work calls, conference calls, call recording, CRM (HubSpot) integration and Microsoft Teams integration. You can move your phone system to the cloud without having to duplicate your IT infrastructure.
To find out more about how we can help you maintain HIPAA compliance, contact us at info@covecentral.com.