Data breaches aren’t just headaches for provider organizations, they’re expensive as well. In IBM’s 2018 Cost of a Data Breach Report by the Ponemon Institute, released earlier this year, the cost of a breach for any industry was set at $408 per record, with the average cost coming in at $3.86 million for an organization, a 6.4 percent spike from last year.
Pair this with the fact that healthcare records often fetch more on the black market than other forms of data, making healthcare organizations a profitable target for hackers. Cyberthreats are proving to be immensely costly for providers everywhere.
As data breaches in healthcare persist, multifactor authentication — which relies on multiple factors to prove identity — could help close the gaps in security, shoring up defenses and preventing breaches, alongside other cyber security best practices.
In fact, according to the Annual Report to Congress on the Federal Information Security Management Act, up to 65 percent of cybersecurity incidents could have been prevented with strong MFA.
What Is Multifactor Authentication?
Passwords can be an easy target for hackers, particularly as new methods such as password spray attacks and phishing, which involve social engineering to exploit loopholes in security systems, emerge. This is where multifactor authentication methods can step in to provide an extra level of identification security.
“MFA requires users to submit a combination of factors — at least two — to authenticate their identity and gain access to a computer or device,” explains Wes Wright, CTO at security provider Imprivata. “The factors fall into three categories: something you are (like a fingerprint biometric), something you have (a mobile device) and something you know (a username and password).”
A typical two-factor authentication combination would be a username and password from the user, as well as a token code generated by the user’s smartphone, Wright explains. Many solutions also employ biometric tools, which sense unique physical characteristics, such as fingerprint or retina scanners.
What Are the Benefits of Multifactor Authentication?
The main benefit of MFA methods is that they decrease reliance on passwords, which can be a relatively hackable form of identification when used alone. Moreover, phishing attacks are still one of the top threat actors for healthcare organizations, according to a survey released by HIMSS earlier this year, making the push away from passwords more pressing.
“MFA tremendously improves security which is why you see a huge push to make sure that all elevated privilege accounts are not accessible without using some type of MFA,” says Wright.
But improved security isn’t the only benefit of MFA. Along with improved security, the technology can also have benefits for staff, particularly when it comes to improving clinician workflow. For example, in 2014, Evanston, Ill.-based NorthShore University HealthSystem deployed Imprivata’s Confirm ID MFA solution, which uses a fingerprint reader integrated with the electronic health record, for electronic prescribing of controlled substances and saw an enthusiastic response from staff.
“Doctors were excited about this project because it makes their workflow easier and makes things easier for patients,” Meredith Sefa, NorthShore’s assistant vice president for application services, tells HealthTech.
Moreover, MFA can even be a window to the world of password-free authentication. Already, Microsoft has been able to achieve a pseudo-passwordless state for its users by deploying many of its own MFA solutions internally.
Key Considerations for an MFA Solution
While MFA certainly improves security and workflow, authentication itself, while necessary, can sometimes prove burdensome for clinicians and staff.
“Within EpicCare alone, there are more than 40 clinical workflows that may require users to authenticate,” explains Wright. “These include witnessing medication wasting, blood administration, anesthesia attestation and others.”
For this reason, adding layers of security could potentially create inefficiencies, Wright explains, noting that there are a number of factors providers should consider to ensure the solution doesn’t “frustrate users, impede workflow or create barriers to patient care.”
He lays out the factors below as key considerations:
- Extensibility to meet all present and future authentication needs, inside and outside the hospital
- Security balanced with convenience to enable — not impede — patient care through:
- Embedded authentication workflows that tightly integrate with the EHR and other applications, medical devices, remote access gateways, virtual desktop platforms, and other systems
- Flexible, comprehensive portfolio of authentication methods
- Compliance with the highest standards regulating care, such as the DEA requirements for electronic prescriptions for controlled substances
- A platform built specifically for healthcare and its unique workflow needs
How to Overcome Cultural Barriers to an MFA Implementation
While MFA systems are simple enough to integrate from an IT perspective, Wright notes that, as with many IT implementations, the culture is “where the hard work starts.”
“Unless you choose your MFA system wisely, you will be adding an additional step to the login process which your clinical and business partners won’t be thrilled with. Therefore, as an IT professional, it’s up to us to communicate the “why” of using MFA,” says Wright.
When seeking to communicate the importance of these systems, it helps to point to many of the recent breaches that have affected healthcare organizations and the impact these breaches have on the organizations themselves.
What’s most important, however, is that the implementation is seen as a collaboration between IT and staff in order to create a more secure healthcare environment.
“Your clinical and business partners should feel as if they’re making the MFA journey with the IT organization, not having something, once again, done to them by IT.”
As providers begin to overcome cultural barriers, eventually MFA will likely become the norm when it comes to healthcare authentication.
“Going forward, you’ll see 2FA and MFA playing the same role they play today: moving toward a password-free environment. The difference being, the lack of 2FA and MFA will be the exception, whereas today, those with 2FA and MFA are the exception,” says Wright.