164.312(d) - Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Associated implementation specifications:
The spirit of this guideline is simple: to verify that users are who they claim to be prior to accessing PHI. To accomplish this, proof of identity is required. According to HHS, this may:
- Require something known only to that individual, such as a password or PIN.
- Require something that individuals possess, such as a smart card, a token, or a key.
- Require something unique to the individual such as a biometric. Examples of biometrics include fingerprints, voice patterns, facial patterns or iris patterns.
How can a customer address this and how does Cloudticity help?
Important: All specifications must have associated company policies to explicitly indicate how each are addressed. If a requirement is not applicable, this should also be indicated in a company's policies to address it explicitly.
- To meet person or entity authentication guidelines:
- AWS provides Identity and Access Management (IAM) services that include the ability to set custom password complexity requirements, use of multi-factor authentication (MFA), and federate to existing identity providers or their own active directory. AWS also provides logging and auditing services, which can be found in our audit control post.
- Cloudticity ensures that all necessary AWS services are configured correctly, including but not limited to the ones mentioned above.
- Cloudticity helps customers by enforcing password complexity requirements, forcing use of MFA for all administrators, forcing use of support procedures to document permission changes, and quarterly reviews to review access rights on a regular basis. Cloudticity also provides professional services to facilitate additional authentication workflows upon request.
- Customer applications must meet person or entity authentication guidelines if providing access to PHI. Identity providers and active directory must have strong password complexity requirements, utilize MFA, and implement additional security measures as needed.