The digital landscape is ever-evolving, as are the tactics employed by cybercriminals seeking unauthorized access to valuable information held within. In response, organizations across most industries, especially the technology sector, have adopted Multi-Factor Authentication (MFA) to fortify their security measures.
The security and privacy of patient information are of utmost importance in the healthcare industry. However, the nature of the industry’s data protection requirements often creates complexities. The modernization of healthcare technology has made exchanging patient information among providers much quicker and simpler, but it has also created additional methods for unauthorized users to gain access to this same information. According to Global Data Systems, “Healthcare is the most targeted industry for cyberattacks because the black-market value of medical data is exceptionally high.” Under these circumstances, for healthcare technology to continue advancing, the industry needed a secure solution that protected healthcare data and allowed authorized access.
Don Kleoppel, Chief Information and Security Officer of Greenway Health
The most effective combatant against cyberattacks thus far is Multi-Factor Authentication (MFA), an authentication method that requires users to provide multiple credentials to verify their identity. It adds an additional layer of security to the traditional username-password combination. MFA typically combines factors such as something the user knows (e.g., a password), something the user has (e.g., a smartphone or token), or something the user is (e.g., biometric data like fingerprints or facial recognition), according to IS Decisions.
By implementing MFA in healthcare settings, organizations can significantly reduce the risk of unauthorized access to patient data. Even if a user’s password is compromised, the additional authentication factors make it much more challenging for unauthorized individuals to gain access to sensitive medical information. MFA provides an added layer of security, ensuring that only authorized personnel can access EHRs.
An added bonus of MFA is that HIPAA recognizes it as a “reasonable and appropriate” security measure that should be implemented if a covered entity or business associate conducts a risk assessment and identifies vulnerabilities that MFA could address. Furthermore, the use of MFA has been championed as “one of the best methods of protecting ePHI (Electronic protected health information) against phishing attacks” in a recent post by HIPAA Journal.
While proven to be very effective in protecting users’ privacy, some tech companies have claimed that not all MFA methods are completely invincible against cybercrime. For example, Twitter announced earlier this year that it would be removing one of its three offerings of MFA methods after it claimed to have seen phone-number-based MFA be used – and abused – by “bad actors.” The tech company added that it would “no longer allow accounts to enroll in the text message/SMS method of MFA unless they are Twitter Blue subscribers.” The company has undergone major policy changes since early 2022 when Elon Musk purchased it and turned his efforts towards cutting costs, such as text message/SMS MFA.
Effectively combatting the uptake in phishing attacks on the healthcare industry by offering a secure additional layer of protection, multi-factor authentication methods uphold the trust between healthcare organizations and their patients through the shared knowledge of MFA’s enhanced security measures. As technology modernizes and cyber threats evolve, healthcare organizations must actively adopt security measures like multi-factor authentication to ensure the safety and confidentiality of their patient data while protecting the integrity of the whole healthcare system.
