I was told by a vendor that there's new guidance effective in 2017 that mandates Multi-Factor Authentication for all systems that host PHI. They said that things like white-listing IP addresses was good enough to satisfy this requirement. Is this just a vendor trying to sell me something? Or is there really updated guidance on this issue?
Asked
Active
Viewed 982 times
1 Answers
2
HIPAA doesn't explicitly mandate MFA, but because of updates to NIST guidance (800-63), it would be very reasonable to argue that a solution without MFA is deficient to meet something like section 164.312d, and therefore does not meet HIPAA requirements.
That said, whitelisting IPs is a pretty mediocre security solution and is definitely not considered to be MFA.
Jesse K
- 1,068
- 6
- 13
-
Whitelisting an IP can be MFA. Then you have 2 factors, the "source computer" (the whitelisted IP) + the password used to login. The only thing is that you need to use an encrypted, TCP based protocol and NOT an UDP based protocol. Whitelisting the IP in TCP works like whitelisting an phone number and then doing a callback, which is ALLOWED (this is how police and government get information from Health records when theres a crime investigation going on) – sebastian nielsen Aug 02 '17 at 08:13