Printer Friendly, PDF & Email Printer Friendly, PDF & Email

§170.315(d)(12) Encrypt authentication credentials

Version 1.0 Updated on 06-01-2020
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Final Test Procedure

06-01-2020
Regulation Text
Regulation Text

§170.315 (d)(12) Encrypt authentication credentials. Health IT developers must make one of the following attestations and may provide the specified accompanying information, where applicable:

  1. Yes – the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).
  2. No – the Health IT Module does not encrypt stored authentication credentials. When attesting “no,” the health IT developer may explain why the Health IT Module does not support encrypting stored authentication credentials.
Standard(s) Referenced

Paragraph (d)(12)(i)

§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299).

Please consult the Final Rule entitled: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program for a detailed description of the certification criterion with which these testing steps are associated. Developers are encouraged to consult the Certification Companion Guide in tandem with the Test Procedure, as they  both provide clarifications that may be useful for product development and testing.

Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.

Testing components

No GAP Icon Documentation Icon Visual Inspection Icon No Test Tool Icon No ONC Supplied Test Data Icon

Paragraph (d)(12)(i) - (Alternative)

System Under Test
ONC-ACB Verification

The health IT developer attests, “Yes, the Health IT Module stores authentication credentials in accordance with standards adopted in § 170.210(a)(2).”

The ONC-ACB verifies the health IT developer attests, “Yes, the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).”


Paragraph (d)(12)(ii) - (Alternative)

System Under Test
ONC-ACB Verification
  1. The health IT developer attests, “No, the Health IT Module does not encrypt stored authentication credentials.”
  2. The health IT developer may submit an explanation why the Health IT Module does not encrypt stored authentication credentials.
  1. The ONC-ACB verifies the health IT developer attests “No, the Health IT Module does not encrypt stored authentication credentials.”
  2. If the health IT developer provides an explanation, then the ONC-ACB verifies the health IT developer provides explanation why the Health IT Module does not encrypt stored authentication credentials.

Version 1.1 Updated on 06-30-2020
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

06-15-2020
1.1

Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing and updated the referenced version of the document listed in § 170.210(a)(2).

06-30-2020
Regulation Text
Regulation Text

§170.315 (d)(12) Encrypt authentication credentials. Health IT developers must make one of the following attestations and may provide the specified accompanying information, where applicable:

  1. Yes – the Health IT Module encrypts stored authentication credentials in accordance with standards adopted in § 170.210(a)(2).
  2. No – the Health IT Module does not encrypt stored authentication credentials. When attesting “no,” the health IT developer may explain why the Health IT Module does not support encrypting stored authentication credentials.
Standard(s) Referenced

Paragraph (d)(12)(i)

§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299).

Certification Companion Guide: Encrypt authentication credentials

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule).   It extracts key portions of the rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.

 

Certification Requirements
Technical Explanations and Clarifications

 

Applies to Entire Criterion

Clarifications:

  • The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just that they attest “yes” or “no” to whether the Health IT Module encrypts authentication credentials. The criterion places no requirements on health IT customers, such as health care providers, to implement these capabilities (if present in their products) in their health care settings.
  • If a Health IT developer attests “no” to support for encrypting stored authentication credentials, they may provide an explanation to the ONC-ACB that is either a hard copy or in an acceptable human readable electronic format.  To be open and transparent to the public, developers should provide a hyperlink to any optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).
  • The referenced standard item “§ 170.210(a)(2)  General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in §170.299)” has been updated to a new version dated June 10, 2019.  It is recommended that health IT developers use the updated NIST-documented standard for encryption algorithms.

 

Paragraph (ii)

Clarifications:

  • If a health IT developer attests “no” for its Health IT Module(s) it can indicate why the Health IT Module(s) does not support encrypting stored authentication credentials.  For example, the health IT developer could explain that its Health IT Module is not designed to store authentication credentials; therefore there is no need for the Health IT Module to encrypt authentication credentials.

Content last reviewed on June 30, 2020
Was this page helpful?