Risk: Lack of proper authentication
Explanation: The first step to gain access to ePHI must be authentication, which is verifying whether the entity trying to access ePHI is really the one it claims to be. If persons or entities (can be other software programs) are not authenticated, this can lead to the risk of ePHI being compromised. Proper authentication also needs to be done, before ePHI is shared with anyone in any manner. Without doing so, ePHI may end up in wrong hands.
Major Mitigation: In the simplest form, authentication mechanism includes a user name and password, which has to be used to gain access. This authentication mechanism can be either at the workstation level or at the application or both, depending on the level of security that is needed. There must defined policies and procedures which lays out the authentication mechanisms to be followed. These policies and procedures must include the mechanism to be adopted when sharing ePHI with another person/entity.
Secondary Mitigation: A combination of authentication mechanisms can be used for a more advanced level of authentication, a multifactor authentication.
Success Criteria: Each and every access to the systems need to be logged. An audit of these logs can give a clear picture. Also the risk analysis/assessment reports will give a clear indication whether any risks exists, and whether the controls are effective or not.