Two-Factor Authentication (2FA)

Apex often receives inquiries from our partners regarding the additional step of two-factor authentication. Learn why this feature helps Apex keep your and your clients’ data safe.

What is two-factor authentication?

Two-factor authentication (2FA) is a security process that requires two distinct forms of identification in order to access something like an online platform or system. Two-factor authentication adds an additional layer of security by ensuring that the people trying to gain access to a system are who they say they are. First, a user will be prompted to enter a username and password. Instead of granting access immediately, systems using 2FA will then require another piece of information from the user, i.e. a security code or an answer to a security question. This adds another layer of security by making it harder for people to gain access to the system. Even if the password had been compromised, this is not enough to gain access to the system or application.

Why is 2FA important?

Under single-factor authentication (SFA), usernames and passwords are often not as secure as 2FA. A problem with password-based authentication is that it requires knowledge and diligence to create and remember strong passwords. This can be difficult for users juggling access to multiple systems, resulting in passwords stored on sticky notes or reused across platforms. Passwords can also fall victim to hacker attacks. With SFA, having a password exposed could grant immediate unauthorized access to a system that contains sensitive or confidential information. One example is “protected health information” (PHI).

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information. Within this act there are Privacy Rule standards. The Privacy Rule standards address the use and disclosure of individuals’ PHI. PHI is any demographic information that can be used to identify a patient or client.

PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI. ePHI is regulated by the HIPAA Security Rule. To comply with the HIPAA Security Rule, all covered entities must:

• ensure the confidentiality, integrity, and availability of all ePHI;

• detect and safeguard against anticipated threats to the security of the information;

• protect against anticipated impermissible uses or disclosures; and

• certify compliance by their workforce.

In order to meet these standards, Apex uses 2FA. Since Apex and our partners are dealing with PHI, it is paramount that we do everything we can to protect such information not only to remain HIPAA compliant but to also protect those whose records we access. 2FA allows us to ensure that even if a password has been lost or compromised, no one who shouldn’t have access to PHI won’t.

How does Apex use 2FA?

Cerberus and the Apex Data Hub are used throughout the school year to receive sensitive information, including files containing PHI. We receive this information in order to help the school-based health center (SBHC) provide the state with the required data to receive funding and remain in operation.

To remain HIPAA-compliant, Apex cannot acquire data via email, flash drive, or post mail. This requires us to use another form of secure file transfer, a system called Cerberus. Cerberus allows Apex to receive important visit data from each site and transfer it into our Data Hub. This visit data contains PHI as it is a record of each and every visit that the SBHC had that month or year. Direct upload to Cerberus ensures that the visit information Apex receives is protected and secure. 2FA is a system requirement when dealing with Cerberus and PHI. This is to ensure that only those who are supposed to have access to the PHI do. 2FA provides that extra layer of security in the event of a computer hack or password compromise, so that unauthorized parties do not gain access to uploaded PHI.

Still have questions? We’re here to help. Reach out to us at support@apexeval.org.