In the new age of technology everyone’s had that moment where they forgot their password. The moment everyone hasn’t had is when someone steals their password. Knowing that your account is compromised is a very scary thing. What makes it more frightening is when it is an account with sensitive information like your bank account, or even worse an application with Personal Health Information (PHI).
Multi-Factor Authentication (MFA) can ease the nervousness around situations like I just described by providing an additional hurdle for cybercriminals. There are four main types of MFA, the first one being “Something You Have”. This is the instance most people are familiar with, when logging in, you receive a text message to your phone and must enter the code you received. The second type being “Something You Know” many are also familiar with this, as they have to enter a memorized a PIN or a question like “Where were you born” every time they log in. The third being “Something You Are” which is commonly using fingerprint, voice or even your role to determine whether you gain access to a system. Finally, the last type of MFA is “Somewhere You Are” using your location can be allowed or disallowed. If someone is in a Starbucks trying to log in as you, it won’t work.
Multi-factor authentication can be annoying because you want to log in, you need to log in, and you now must wait an extra few seconds for a text message to come in, then enter the code from the message. It can be a pain, but it is also highly effective in thwarting criminals and it is fast becoming a standard security practice in the new reality in 2020. If an account is compromised, there can be serious ramifications, especially if there is PHI when the account logs in. However, with the protection of MFA, the malicious party would require having the physical device in hand to receive the text message code, or know the answer to “Where were you born”, or have your fingerprint, etc.
Taking those extra few seconds to log in using Multi-Factor Authentication can mean a world of difference to your security footprint. A few seconds can mean the difference between a HIPAA breach or just having to reset your password and call your IT partner about suspicious activity.
HIPAA does not yet currently require MFA; however, it strongly recommends its use pertaining to electronic personal health information (ePHI). Utilizing MFA services from Duo or Microsoft, vcpi can reduce the risk of unauthorized access to your EHR system. Those platforms mitigate the risk of out of date devices accessing your EHR systems and spreading malware by checking the security health of every device at login. If a device doesn’t pass the health check it is not allowed in, a way of making sure the environment is safe and secure.
If you have questions or want to learn more about MFA, please reach out!