Clarifications:
- The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just that they attest “yes” or “no” to whether the Health IT Module encrypts authentication credentials. The criterion places no requirements on health IT customers, such as healthcare providers, to implement these capabilities (if present in their products) in their health care settings.
- If a health IT developer attests “no” to support for encrypting stored authentication credentials, they may provide an explanation to the ONC Authorized Certification Body (ONC-ACB) that is either a hard copy or in an acceptable human readable electronic format. To be open and transparent to the public, developers should provide a hyperlink to any optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).
- The referenced standard item “§ 170.210(a)(2) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2” has been updated to a new version dated October 12, 2021. It is recommended that health IT developers use the updated NIST-documented standard for encryption algorithms.
- Encrypting authentication credentials may include password encryption or cryptographic hashing, which is storing encrypted or cryptographically hashed passwords, respectively (85 FR 25700).
