Multi-Factor Authentication for HIPAA Compliance
By Gil Vidals, , HIPAA Gmail, HIPAA Outlook

What it is, Common Objections, and Why to Insist on it

Though many healthcare organizations still consider it optional, two-factor authentication – also known as multi-factor authentication (MFA) – is an indispensable part of a secure environment, and key to protecting your medical data. 

“Wait,” you protest, “why would I want to add another step to my logon process? After all…”

Objection 1: “…We use strong passwords, isn’t that enough?”

Answer: Strong, complex passwords are essential – we insist on them at HIPAA Vault. Used alone, however, they still represent a single-point of failure. Think about it – you wouldn’t skydive from 30,000 feet with a single parachute and no reserve, right? What if it doesn’t open? By the same token, what consolation will a strong password be if it falls into the wrong hands, and your business falls splat because your data is gone?

Objection 2: “…we change our passwords regularly and this is just adding an extra step. We’re concerned that it’ll slow-down our workflows and efficiencies.”

Answer: Really? As much as a breach of your network and downtime would slow things down? Ask those who’ve been breached, lost all their data, paid huge fines, and even lost their business. It’s happened. As we’ll see, changing passwords is a good practice, but it won’t matter if your credentials get phished through social engineering, or your system is breached due to internal negligence or a disgruntled employee. Those too happen, far too often.

Objection 3: “…I’m a developer, and it’s not my job to add in this security piece. Besides, my client never asked for it.”

Answer: Go the extra step; become more security conscious and suggest it to your clients. It’s true they may not have asked for it, but why not suggest a best practice and put a lock on a potential Pandora’s box when you have the opportunity? (And to clients: You should insist on it!)

Lest you think the use of a second factor (MFA can actually entail 2 or more authentications) is more common than it is, a recent industry indicator might be helpful: Microsoft sent a wake-up call when their study revealed that a whopping 97% of Microsoft 365 users are not using any MFA at all.

Even worse, 78% of Microsoft 365 administrators had not activated multi-factor authentication as protection for their accounts. Especially when an administrator has control over an organization’s entire environment (more than a third of MS admins do), this can spell big trouble.

This brings up a related issue: Often a particular department in an organization will install some desired IT or SaaS application without the Admin’s knowledge. It happens. It’s important that these “shadow SaaS” applications be discovered and protected by MFA as well.

Microsoft went on to state that simply enabling MFA alone would have prevented the vast majority of successful attacks (99.9% of them), and that “MFA is considered the single most important measure to implement to prevent unauthorized account access.”

Multi-Factor Authentication – A Review

For those who may still be foggy about multi-factor authentication (hopefully not too many of you), let’s recap what it is, and the strong reasons you should be using it – especially if you’re in a healthcare-related field.

You know that a typical logon to your system requires a single sign-on for authentication (also called single-factor), requiring one username/password combination. The downside of this for HIPAA, however (or for any sensitive data for that matter) is that if anyone were to steal or crack these credentials – perhaps through a brute-force attack, typically done using automation tools to “guess” your password – they’d have full access to breach your data, install malware, or even completely disable your site. 

This is why a strong password only goes so far. (Just think how easy it would be to hack your system with a weak password – maybe even one duplicated from your employee’s personal accounts – and no MFA). It’s wise, therefore, to avoid a single-point-of-failure situation whenever possible.   

With Multi-Factor Authentication installed, you avoid this scenario by adding an extra layer of security in the sign-on process. This typically entails the entering of a token such as a pin or one-time passcode (OTP), which only you will have. (Think of entering your card into an ATM machine and then having to enter a pin). 

Note: The use of digital security tokens are better than physical ones (ie, a USB or RSA key chain), which can  be lost or stolen. A digital token gives you a uniquely generated code that disappears after 30 seconds. With Google Authenticator, for example, a one-time password is conveniently sent to your smartphone via SMS, e-mail, or QR code, with additional options available. 

MFA prevents an attacker from gaining access to your site even if they did happen to acquire your password. Again, it’s important to stress that MFA does not do away with the need for strong passwords. Strong passwords should always be insisted upon, as some phishing schemes have even allowed attackers to intercept SMS messages for codes.

MFA – Why you Should Use it

  • Compliance with HIPAA – You know that HIPAA requires policies and procedures for authorizing secure access to ePHI, so it makes sense to advocate for more than a single-point-of failure. The Department of Health and Human Services knew this when they began recommending the use of 2FA almost fifteen years ago.
  • Patient Safety – According to the American Medical Association, cybersecurity is now understood as a patient safety issue. Insecure systems can lead to exploitation of your patients, fines for HIPAA violations, potential lawsuits and legal proceedings, reputation loss, business loss… need we go on? Strengthen your security posture now with an integration-friendly solution that will help preserve the well-being of your patients and practice.
  • Remote access to systems is on the rise, spurred by a pandemic and the rise of connected devices. Since stolen identities account for the majority of data loss occurrences, insist that your remote workers use it; in fact, as a recent Data Breach Report suggests, “2FA everything you can.” Smartphones can easily be used for authentication through readily available apps through Authy, Google, and others.

Summary:

To be sure, no security can guarantee 100 percent effectiveness; yet MFA can significantly reduce the risk to both patients and organizations by accounting for “the human factor,” including errors in judgement and negligence. 

At HIPAA Vault, we use MFA 100% of the time. From the outset, we take care to walk all our authorized users through the process of logging in for the first time, and to have their individual device approved by our system administrators. This allows us to establish part of the authentication by establishing what the customer owns. Then, using unique usernames and passwords, the second factor of authentication can be verified.

HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure email, HIPAA compliant WordPress, secure file sharing, and more.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.