Multi-factor authentication for HIPAA compliance: What it is, common objections, and why to insist on it

Though many healthcare organizations still consider it optional, two-factor authentication - also known as Multi-Factor Authentication (MFA) - is an indispensable part of a secure environment, and key to protecting your medical data.

“Wait,” you protest, “why would I want to add another step to my logon process? After all...”

Objection 1: “...We use strong passwords, isn’t that enough?”

Answer: Strong, complex passwords are essential - we insist on them in IT as a rule. Used alone, however, they still represent a single-point-of-failure. Think about it - you wouldn’t skydive from 30,000 feet with a single parachute and no reserve, right? What if it doesn't open? By the same token, what consolation will a strong password be if it falls into the wrong hands, and your business falls splat because your data is gone?

Objection 2: “...we change our passwords regularly and this is just adding an extra step. We’re concerned that it'll slow-down our workflows and efficiencies.”

Answer: Really? As much as a breach of your network and downtime would slow things down? Ask those who’ve been breached, lost all their data, paid huge fines, and even lost their business. It’s happened. As we’ll see, changing passwords is a good practice, but it won’t matter if your credentials get phished through social engineering, or your system is breached due to internal negligence or a disgruntled employee. Those too happen - far too often.

Objection 3: “...I’m a developer, and it’s not my job to add in this security piece. Besides, my client never asked for it.”

Answer: Go the extra step - become more security conscious and suggest it to your clients. It’s true they may not have asked for it, but why not suggest it to them as a best practice and put a lock on Pandora’s box when you have the opportunity? (Note to clients: You should insist on it!)

Lest you think the use of a second factor (MFA can entail 2 or more authentications) is more common than it is, a recent industry indicator might be helpful: Microsoft sent a wake-up call when their study revealed that a whopping 97% of Microsoft 365 users are not using any MFA at all.

Even worse, 78% of Microsoft 365 administrators had not activated multi-factor authentication as protection for their accounts. Especially when an administrator has control over an organization’s entire environment (more than a third of MS admins do), this can spell big trouble.

This brings up a related issue: Often a particular department in an organization will install some desired IT or SaaS application without the Admin’s knowledge. It happens. It’s important that these “shadow SaaS” applications be discovered and protected by MFA as well.

Microsoft went on to state that simply enabling MFA alone would have prevented the vast majority of successful attacks (99.9% of them), and that “MFA is considered the single most important measure to implement to prevent unauthorized account access.”

Multi-Factor Authentication - A Review

For those who still may be foggy about multi-factor authentication (hopefully not too many of you), let’s recap what it is, and the strong reasons you should be using it - especially if you’re in a healthcare-related field.

You know that a typical logon to your system requires a single sign-on for authentication (also called single-factor), requiring one username/password combination. The downside of this for HIPAA, however (or for any sensitive data for that matter) is that if anyone were to steal or crack these credentials - perhaps through a brute-force attack, typically done using automation tools to “guess” your password - they’d have full access to breach your data, install malware, or even completely disable your site.

This is why a strong password only goes so far. (Just think how easy it would be to hack your system with a weak password - maybe even one duplicated from your employee’s personal accounts - and no MFA). It’s wise, therefore, to avoid a single-point-of-failure situation whenever possible.

With Multi-Factor Authentication installed, you avoid this scenario by adding an extra layer or more of security in the sign-on process. This typically entails the entering of a token such as a pin or one-time passcode (OTP), which only you will have - like entering your card into an ATM machine and then having to enter a pin.

Note: The use of digital security tokens are better than physical ones (i.e., a USB or RSA key chain), which can be lost or stolen. A digital token gives you a uniquely generated code that disappears after 30 seconds. With Google Authenticator, for example, a one-time password is conveniently sent to your smartphone via SMS, e-mail, or QR code, with additional options available.

MFA prevents an attacker from gaining access to your site even if they did happen to acquire your password. Again, it’s important to stress that MFA does not do away with the need for strong passwords. Strong passwords should always be insisted upon, as some phishing schemes have even allowed attackers to intercept SMS messages for codes.

MFA - Why you Should Use it

Compliance with HIPAA - You know that HIPAA requires policies and procedures for authorizing secure access to ePHI, so it makes sense to advocate for more than a single-point-of failure. The Department of Health and Human Services knew this when they began recommending the use of 2FA almost fifteen years ago.
Patient Safety - According to the American Medical Association, cybersecurity is now understood as a patient safety issue. Insecure systems can lead to exploitation of your patients, fines for HIPAA violations, potential lawsuits and legal proceedings, reputation loss, business loss... need we go on? Strengthen your security posture now with an integration-friendly solution that will help preserve the well-being of your patients and practice.
Safer Remote Working - Remote access to systems is on the rise, spurred by a pandemic and the rise of connected devices. Since stolen identities account for the majority of data loss occurrences, insist that your remote workers use it; in fact, as a recent Data Breach Report suggests, “2FA everything you can.” Smartphones can easily be used for authentication through readily available apps through Authy, Google, and others.

MFA is the Answer

To be sure, no security can guarantee 100 percent effectiveness; yet MFA can significantly reduce the risk to both patients and organizations by accounting for “the human factor,” including errors in judgement and negligence.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.