Will Stage 3 Meaningful Use require multi-factor authentication?

Mae-ellen Gavin
Sep 24, 2012

It looks that way--just this month the ONC voted to accept the Privacy and Security Tiger Team’s recommendations, one of which requires multi-factor authentication for remote access to protected health information.  Remote access includes the following scenarios: 

  1. Access from outside an organization’s private network
  2. Access from an IP address not recognized  as part of the organization or that is outside of its compliance environment
  3. Access across a network any part of which is or could be unsecure (e.g., unsecure wireless connection)

Solutions must meet NIST Level of Assurance (LOA) 3, the same requirement the DEA identified for EPCS.  Extending a security model already in place that care providers are used to; that makes sense! 

Meaningful Use Stage 3 is slated for 2015—that seems a long way off.  With the convergence of EMR adoption and mobile technologies remote access is already in high demand by most physicians.  I hope organizations are evaluating the options for multi-factor authentication sooner rather than later.  If physicians get set up with remote access and then after the fact, maybe years later, multi-factor authentication is implemented—end user satisfaction could be impacted.