Does the new RCE requirement requirement for 2 Factor authentication represent an undue burden. Today we discuss. https://lnkd.in/g4Be2HRP
Today in health, it, we get into some, wonkiness talking about. The draft Q and a participant. Dual factor authentication requirement. Should be fun. My name is Phil Russell. I'm a former CIO for a 16 hospital system. And creator of this week health set of channels, dedicated to keeping health it staff current and engaged.
We want to thank our show sponsors who are investing in developing the next generation of health leaders. They are. Taos site and Canon medical. If you want to be a sponsor of this show, just reach out this week. health.com/sponsors.
All right. Don't forget. We are partnering with Alex's lemonade. Stand we've set up our own this week. Health lemonade stand. And would love to have you be a part of us raising money for kids with cancer and research for cancer. And if you want to be a part of that, we would love to have that happen. This is part of our five-year anniversary.
, program, and you can find that at the top of our website this week, Dot com click on the Alex's lemonade stand. And please go ahead and make a donation. We have a goal of raising $50,000 and we're well, on our way. We're at 10,000. Today. All right. John Lee. So John Lee put a post out there on this, , draft Q hen.
And here's what he had to say was on LinkedIn. Please excuse a detour into health. It wonkiness, as we said earlier, this is a proposed reg regulation rule that will require any user accessing a system connected to the interoperability framework proposed by the government. To make sure authentication shall occur.
By the use of either a multifactor authenticator or a combination of two factor authentication. My interpretation is that if you are a nurse who steps away from workstation, It times out and you have to sign in again, you need to not only use your password, but also need to use the multi-factor authentication.
If you then go to another workstation, you will need to use multifactor authentication, basically every time. You currently use your password. They are proposing that you have to use multifactor authentication. And he goes on to say, I understand the desire for privacy and security, but I think this proposed rule takes this effort to an unnecessary extreme.
Whenever I access a clinical system, it is either on a secure network or I have, , or I have to use multi-factor to access the clinical application. To me. This proposal goes beyond. Belts and suspenders, it adds staples. , it's unnecessary pain and no gain. All right. So I went out and hit the ONC tifca.
recognized, coordinating entity. And, , wanted to read the rule. And this is it's. It's not long. So. That's a, that's why I'm going to read it. So authentication, each queue had participant and S sub participants shall require that workforce members. And individuals who author, who are authorized users.
Our authenticated in accordance with the following requirements, workforce members, each participant and sub participant shell. Require that workforce members who are authorized users of the system, which access. Protected health information. A lot of stuff in paragraphs, you don't need to be authenticated at authenticator assurance level two.
Note that a L two authentication shall occur by the use of either a multifactor authenticator or combination of two single factor authenticators NIST SB 800. Describe permitted authenticator types for a L two, when assertions are used in a Federation of federated environment. To communicate authentication and attribute information to a relay relying, relying party.
Such assertions shall be a NIST Federation assurance level. To there you have it. So that's the rule. I will say to you that I did not read this the way that John. , John Lee read this and, , and just understanding what I do about how machines are connected within the network. He gives the use case of the nurse stepping away.
, in our environment, all the clinical workstations were, , in a tap and go situation, which required dual factor authentication. But once they were logged in. , all the systems and all the passwords were essentially. , Let's say. , combined, not combined that's, , that's the wrong word, but they were stored in that, that one past system that we had. Right. And so it was just badging badge out.
The timeout only happened once every four hours. And so if they went to lunch and came back, they would have to reauthenticate. And do dual factor authentication. And that already existed within our health system. I I'm pretty sure that I wouldn't change a thing based on this rule. Like we would still, I know we would include that authentication.
To any of the, , data that's being shared through this interoperability framework. But, , it would not require additional, , Let's say additional authentication in order to access it. Right. So we would access for a clinician. Essentially, if you had an eight hour shift, if you had a 12, 12 hour shift, that's a different story. You have to authenticate three times, but if you have an eight hour shift, you'd have to authenticate twice.
Essentially, and we felt like that was a good enough. Standard for protecting patient information. And we had dual factor authentication because we thought that that level of, , security was required, especially with the fact that we were giving clinicians access outside of the health system. , from workstations that were outside of the health system and we felt that opened up.
I provided the convenience that the physicians were looking for, but it also opened us up to a whole host of attacks. That, , we wanted to ensure that, , people were authenticating. So we needed dual factor authentication. , for external access internal access. I was not all that worried about because as he stated, we have secured networks, but we still implemented it across the board. And we had that four hour window.
Of time out. So I don't think that's an undue burden for the privacy every, a couple of hours. I do think it's an undue burden. If it's every workstation you touch, you have to dual factor authenticate. That's insane. Like we, we would not have done that. We would've fought back on that pretty hard. , you know, here's my recommendation. If I were sitting in your shoes. My, so what on this, if I were sitting in your shoes,
I would, , I'd read this. I talked through it with your team. Figure out what you believe at means ask the questions you need, , of the coordinating entity to make sure that you are. , compliant. With it. And once you feel comfortable, if you don't feel comfortable comment, I mean, I went out to their comment page.
John Lee actually links to their comment page. It's a, let me see if I can get the URL for you. It might be. Kind of, yeah, it's pretty big. Anyway. , RCE scoria project out or draft Q hin participation. Our participant and subscript, , CR. Social Cribbet subscript. Didn't. Wow. Interesting word.
, additional security requirements. , a SOP feedback. So it is out there. It's on the, , It's on the score, your project website, and you can provide some feedback there. So if you read this determined with your team that is too onerous, then that is where you give a feedback. It's still in the draft stage. It's a chance to give some feedback, but again, I did not read this the way they did.
, you have to determine the way your organization is going to read it and provide. , , and then figure out what the plan is going to be. Moving forward, but this is our interoperability framework that we have moving forward and we're going to, , we're going to want to connect to it. And so we should know what those things are moving into the new year. All right. That's all for today. If you know someone that might benefit from our channel.
This year, what we would love for, to have you do is shoot an email to somebody, send an email to them. And say, Hey, I'm listening to this podcast. Think you'd benefit from it and love to have conversations with you about it. And you can send them to this week. health.com. You can send them to wherever they listen to podcasts. Remember we have three.
Channels. We have the conference channel. We have the community channel and we have the newsroom channel and you're listening to the newsroom channel. , we want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. They are tau site and 📍 Canaan medical. Check them out at this week. health.com/today. Thanks for listening.
That's all for now.