Getty Images
Top Strategies for Implementing Multi-Factor Authentication
Establishing multi-factor authentication in the healthcare setting is not as challenging as many organizations assume.
Multi-factor authentication (MFA) can block more than 99 percent of automated cyber attacks, yet healthcare organizations often wait until their security has already been breached before turning to this protective tool.
“The two main obstacles organizations say hinder them from implementing MFA is this misconception that implementing the tool will require an external hardware device and concerns that it will disrupt users or cause the technology to malfunction,” Jessica Davis, senior editor of HealthITSecurity.com, explained on an episode of Healthcare Strategies.
However, these are invalid excuses when placed in the contexts of the threat that hackers pose to healthcare organizations today and the ease with which these organizations can implement MFA.
Listen to the full podcast to hear more details for cybersecurity strategies. And don’t forget to subscribe on iTunes, Spotify, or Google Podcasts.
To start with, MFA will ask a user-specific question after an attempted login and the answer is typically not something hackers can generate on their own, making it a very effective tool for protecting data, even if the attacker has compromised user credentials.
Without MFA, healthcare organizations’ data is at high risk of hacking. Particularly during the coronavirus pandemic, credential theft activity has surged and the costs of getting hacked are only increasing. Davis noted that a recent patient fatality has been directly tied to a ransomware attack on a German hospital.
Nevertheless, with such high stakes, providers are still stalled at the same percentage of conformity to national security standards as last year, with less than half of them in compliance with the NIST security framework standard.
“A lack of progress is a sign of regression [in security] because the hackers aren't waiting for us to catch up,” Davis stated.
Instead of waiting for the next cyberattack, healthcare organizations need to take immediate action.
Most security vendors will offer MFA, Davis noted, so finding a technology partner should not be difficult. Many healthcare organizations may not have to look beyond one of their current third-party security vendors.
Technology roll-out in general can be challenging and is a major barrier to MFA-usage among healthcare organizations.
However, for MFA, the implementation can be simple. Contrary to popular expectations, MFA does not require extra hardware. It is widely used outside of healthcare so disruption to users may also be less than the average technology introduction.
Experts have recommended a role-based implementation process, where the most high-profile individuals in the organization start using MFA and then the strategy continues down the lower ranks.
Healthcare organizations can also combine MFA with a password vault. This enables them to invent complex, protective passwords without the fear of forgetting the password, as the passwords are managed directly on the workstation.