Healthit.gov  /  Health IT Dashboard  /  Health IT Library

State and National Trends of Two-Factor Authentication for Non-Federal Acute Care Hospitals

ONC Data Brief 32 | November, 2015

Meghan Gabriel, PhD; Dustin Charles, MPH; JaWanna Henry, MPH; Tricia Lee Wilkins, PharmD, PhD

As electronic health information becomes more widely available, proper security measures must be implemented to ensure the information is only accessible to those with the rights to access it. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to verify that a person seeking access to electronic protected health information (ePHI) has authorization. Two-factor authentication can satisfy this HIPAA requirement (1). Two-factor authentication is technology that requires users to provide at least one additional form of identification beyond user name and password to gain electronic access to ePHI. Examples include requiring users to answer security questions or enter a randomly generated number sent to their personal mobile device. This brief will report, for the first time, national and state trends in two-factor authentication capability among non-federal acute care hospitals in the United States from 2010 to 2014.

Half of hospitals have the capability for two-factor authentication.

Figure 1: Percent of non-Federal acute care hospitals with the capability for two-factor authentication: 2010-2014.

This figure displays a bar chart with five bars that represent the percent of non-Federal acute care hospitals with the capability for two-factor authentication:  2010-2014.  Bar 1, represents 32% for 2010.  Bar 2, represents 35% for 2011 which was significantly different from 2010.  Bar 3, represents 40% for 2012, which was significantly different from 2011.  Bar 4, represents 44% for 2013, which was significantly different from 2012.  Bar 5, represents 49% for 2014, which was significantly different from 2013.

NOTES: * Denotes significantly different from previous year.

SOURCE: ONC/American Hospital Association (AHA), AHA Annual Survey Information Technology Supplement; 2010-2014.

Two-factor authentication varies significantly by hospital type.

Figure 2: Percentage of reported two-factor authentication capability among types of non-Federal acute care hospitals: 2014.

This figure contains a bar chart with five bars that represent the percentage of reported two-factor authentication capability among types of non-Federal acute care hospitals:  2014. The first bar represents 35% for critical access hospitals.  The second bar represents 40% for small rural hospitals.  The third bar represents 51% for small urban hospitals.  The fourth bar represents 59% for medium hospitals.  The fifth bar represents 63% for large hospitals.  Critical access hospitals were significantly different from small rural hospitals.  Small urban hospitals were significantly different from critical access, small rural, medium, and large hospitals.  Medium hospitals were significantly different from large hospitals.

NOTES *Hospital types with different letters (a, b, or c) are significantly different from each other. Hospital size is based on the number of beds: large=400 or more; medium=between 399 and 100; and small=less than 100. Rural/urban status determined by U.S. Census Bureau. Type: urban=metropolitan or division; and rural=micropolitan or rural. Critical access hospital is a special designation by the Centers of Medicare & Medicaid Services.

SOURCE: ONC/American Hospital Association (AHA), AHA Annual Survey Information Technology Supplement; 2010-2014.

The percent of hospitals with capability for two-factor authentication varied significantly by state.

Figure 3: Percent of non-Federal acute care hospitals' capability for two-factor authentication by state: 2014.

This figure contains one state map of the percentage of non-federal acute care hospitals' capability for two-factor authentication by state:  2014. The state map has one state, Rhode Island, with results that were not reliable.  Montana was the only state between the ranges of 0-19%.  There were 14 states between 20-39% (North Dakota, Maine, Kansas, Oklahoma, South Dakota, Washington, West Virginia, Kentucky, Indiana, Alaska, New Mexico, Hawaii, Louisiana, and Arkansas).  There were 25 states between 40-50% (Nevada, Connecticut, Maryland, Iowa, Michigan, Wisconsin, South Carolina, Mississippi, New York, Nebraska, New Hampshire, New Jersey, Texas, North Carolina, Missouri, Illinois, Pennsylvania, Oregon, Tennessee, Idaho, Georgia, Minnesota, California, Arizona, and Massachusetts).  There were 7 states between 60-79% (Alabama, Wyoming, Utah, District of Columbia, Colorado, Florida, and Virginia).  There were three states between 80-100% (Delaware, Vermont, and Ohio).

NOTES: One state, Rhode Island did not meet the standards for reliability. Rhode Island is shaded gray because it did not meet the standards for reliability (NR = Not Reliable). See Table A for a complete list of hospital two-factor authentication capabilities by state.

SOURCE: ONC/American Hospital Association (AHA), AHA Annual Survey Information Technology Supplement; 2010-2014.

Summary

Adoption of two-factor authentication by non-federal acute care hospitals has steadily increased since 2010. In 2010, a third (32%) of hospitals had the capability. However, in 2014, nearly half (49%) had the support for two-factor authentication, representing a 53% increase since 2010.

Despite the growth in two-factor authentication, the percent of hospitals reporting this capability varies significantly by hospital type. Critical access (35%) and small rural (40%) hospitals have reported the lowest levels of capability for two-factor authentication. However, half (51%) of small urban hospitals have the capability for two-factor authentication. Reporting of two-factor authentication is significantly higher in medium (59%) and large (63%) hospitals than other hospitals types.

In 2014, 20 states had over half of their hospitals with the capability for two-factor authentication. States ranged from 19% - 93% of hospitals with the capability. The states with the highest percentage of hospitals with the capability were Ohio (93%), Vermont (83%), and Delaware (81%). The states with the lowest percentage of hospitals with the capability were Montana (19%), North Dakota (23%), and Maine (26%).

HIPAA offers two-factor authentication as a possible method to provide security to ePHI. In addition, two-factor authentication is an essential capability for providers who e-prescribe controlled substances. In 2010, the Drug Enforcement Administration (DEA) added the requirement of two-factor authentication for electronic prescribing to the interim final rule, Electronic Prescription for Controlled Substances (2). This rule gives practitioners the option to electronically prescribe prescriptions with several options for obtaining authentication credential. Additionally, the increased use of two-factor authentication by practitioners may help support the Secretary's initiative to decrease opioid related deaths and morbidity (3).

Definitions

Electronic health record: A collection of electronic health information that is capable of being shared across different health care settings. Electronic health records (EHRs) may include patient demographics, medical history, medications, allergies, immunization status, laboratory test results, radiology images, and vital signs.

Two-factor Authentication: Two-factor authentication provides identification of EHR users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses, or something that is inseparable from the user. The use of two-factor authentication to prove one's identity is based on the premise that an unauthorized actor is unlikely to be able to supply both factors required for access. The authentication factors of a two-factor authentication scheme may include 1) a physical object in the possession of the user, such as a token or key; 2) a secret known to the user such as a password or PIN; 3) a biometric marker, such as a fingerprint or voice recognition (4).

Data Source and Methods

Data are from the American Hospital Association (AHA) Information Technology (IT) Supplement to the AHA Annual Survey. Since 2008, ONC has partnered with the AHA to measure the adoption and use of health IT in U.S. hospitals.

The chief executive officer of each U.S. hospital was invited to participate in the survey regardless of AHA membership status. The person most knowledgeable about the hospital's health IT (typically the chief information officer) was requested to provide the information via a mail survey or secure online site. Non-respondents received follow-up mailings and phone calls to encourage response. The survey was fielded from November 2014 to the end of February 2015.

This analysis consisted of non-federal, acute care hospitals, including children's and cancer hospitals. Estimates considered unreliable had a relative standard error adjusted for finite populations greater than 0.49. Responses with missing values were assigned zero values. Significant differences were tested using p < 0.05 as the threshold.

References

1. HIPAA Security Rule, 45 CFR 164 (2007).

2. Electronic Prescribing of Controlled Substances. Drug Enforcement Administration, Department of Justice, Office of Diversion Control website. http://www.deadiversion.usdoj.gov/ecomm/e_rx/.

3. Health and Human Services, Office of the Secretary. (2015). HHS takes strong steps to address opioid-drug related overdose, death and dependence [press release]. Retrieved from http://www.hhs.gov/news/press/2015pres/03/20150326a.html.

4. National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory. (2013). Electronic Authentication Guideline. Natl. Inst. Stand. Technol. Spec. Publ. 800-63-2.

About the Authors

The authors are with the Office of the National Coordinator for Health Information Technology, Office of Planning, Evaluation, and Analysis and the Office of Clinical Quality and Safety.

Suggested Citation

Gabriel, M, Charles, D, Henry, J, & Wilkins, TL. (November 2015) State and National Trends of Two-Factor Authentication for Non-Federal Acute Care Hospitals. ONC Data Brief, no. 32. Office of the National Coordinator for Health Information Technology: Washington DC.

Appendix

Table A. Percent of non-federal acute care hospitals that report capability for two-factor authentication by state: 2014.

See the PDF of ONC Data Brief 32 for the full appendix.