§170.315(d)(12) Encrypt authentication credentials
| Version # | Description of Change | Version Date |
|---|---|---|
| 1.0 |
Final Test Procedure |
06-01-2020
|
§ 170.315 (d)(12) Encrypt authentication credentials. Health IT developers must make one of the following attestations and may provide the specified accompanying information, where applicable:
- Yes – the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).
- No – the Health IT Module does not encrypt stored authentication credentials. When attesting “no,” the health IT developer may explain why the Health IT Module does not support encrypting stored authentication credentials.
Paragraph (d)(12)(i)
§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299).
- Resource Documents
- Revision History
-
Version # Description of Change Version Date 1.0 Final Test Procedure
06-01-2020 - Regulation Text
-
Regulation Text
§ 170.315 (d)(12) Encrypt authentication credentials. Health IT developers must make one of the following attestations and may provide the specified accompanying information, where applicable:
- Yes – the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).
- No – the Health IT Module does not encrypt stored authentication credentials. When attesting “no,” the health IT developer may explain why the Health IT Module does not support encrypting stored authentication credentials.
- Standard(s) Referenced
-
Paragraph (d)(12)(i)
§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299).
Please consult the Final Rule entitled: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program for a detailed description of the certification criterion with which these testing steps are associated. Developers are encouraged to consult the Certification Companion Guide in tandem with the Test Procedure, as they both provide clarifications that may be useful for product development and testing.
Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.
Testing components
Paragraph (d)(12)(i) - (Alternative)
The health IT developer attests, “Yes, the Health IT Module stores authentication credentials in accordance with standards adopted in § 170.210(a)(2).”
The ONC-ACB verifies the health IT developer attests, “Yes, the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).”
| System Under Test |
ONC-ACB Verification
|
|---|---|
|
The health IT developer attests, “Yes, the Health IT Module stores authentication credentials in accordance with standards adopted in § 170.210(a)(2).” |
The ONC-ACB verifies the health IT developer attests, “Yes, the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).” |
Paragraph (d)(12)(ii) - (Alternative)
- The health IT developer attests, “No, the Health IT Module does not encrypt stored authentication credentials.”
- The health IT developer may submit an explanation why the Health IT Module does not encrypt stored authentication credentials.
- The ONC-ACB verifies the health IT developer attests “No, the Health IT Module does not encrypt stored authentication credentials.”
- If the health IT developer provides an explanation, then the ONC-ACB verifies the health IT developer provides explanation why the Health IT Module does not encrypt stored authentication credentials.
| System Under Test |
ONC-ACB Verification
|
|---|---|
|
|
| Version # | Description of Change | Version Date |
|---|---|---|
| 1.0 |
Initial Publication |
06-15-2020
|
| 1.1 |
Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing and updated the referenced version of the document listed in § 170.210(a)(2). |
06-30-2020
|
| 1.2 |
Added clarification regarding acceptable methods of encrypting authentication credentials. |
12-08-2021
|
§ 170.315 (d)(12) Encrypt authentication credentials. Health IT developers must make one of the following attestations and may provide the specified accompanying information, where applicable:
- Yes – the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).
- No – the Health IT Module does not encrypt stored authentication credentials. When attesting “no,” the health IT developer may explain why the Health IT Module does not support encrypting stored authentication credentials.
Paragraph (d)(12)(i)
§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299).
- Resource Documents
- Revision History
-
Version # Description of Change Version Date 1.0 Initial Publication
06-15-20201.1 Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing and updated the referenced version of the document listed in § 170.210(a)(2).
06-30-20201.2 Added clarification regarding acceptable methods of encrypting authentication credentials.
12-08-2021 - Regulation Text
-
Regulation Text
§ 170.315 (d)(12) Encrypt authentication credentials. Health IT developers must make one of the following attestations and may provide the specified accompanying information, where applicable:
- Yes – the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).
- No – the Health IT Module does not encrypt stored authentication credentials. When attesting “no,” the health IT developer may explain why the Health IT Module does not support encrypting stored authentication credentials.
- Standard(s) Referenced
-
Paragraph (d)(12)(i)
§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299).
Certification Companion Guide: Encrypt authentication credentials
This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.
| Base EHR Definition | In Scope for CEHRT Definition | Real World Testing | USCDI | SVAP |
|---|---|---|---|---|
| Not Included | No | No | No | No |
Applies to Entire Criterion
Clarifications:
- The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just that they attest “yes” or “no” to whether the Health IT Module encrypts authentication credentials. The criterion places no requirements on health IT customers, such as healthcare providers, to implement these capabilities (if present in their products) in their health care settings.
- If a health IT developer attests “no” to support for encrypting stored authentication credentials, they may provide an explanation to the ONC Authorized Certification Body (ONC-ACB) that is either a hard copy or in an acceptable human readable electronic format. To be open and transparent to the public, developers should provide a hyperlink to any optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).
- The referenced standard item “§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299)” has been updated to a new version dated June 10, 2019. It is recommended that health IT developers use the updated NIST-documented standard for encryption algorithms.
- Encrypting authentication credentials may include password encryption or cryptographic hashing, which is storing encrypted or cryptographically hashed passwords, respectively (85 FR 25700).
Applies to Entire Criterion
|
Clarifications:
|
Paragraph (ii)
Clarifications:
- If a health IT developer attests “no” for its Health IT Module(s) it can indicate why the Health IT Module(s) does not support encrypting stored authentication credentials. For example, the health IT developer could explain that its Health IT Module is not designed to store authentication credentials; therefore, there is no need for the Health IT Module to encrypt authentication credentials.
Paragraph (ii)
|
Clarifications:
|