Apr 08 2024

MFA Fatigue: A Growing Headache for Healthcare (and How to Combat It)

What happens when your healthcare teams grow tired of multifactor authentication processes? Try these tips to combat MFA fatigue.

We all know that multifactor authentication is a must-have to defend against cyberattacks in healthcare. But what happens when those extra layers of security start to wear people down? That’s where the concept of MFA fatigue comes in. It’s the frustration that users feel when they’re hit with repeated MFA prompts, and attackers are ready to exploit this.

Click the banner below to learn how to get the most out of your zero-trust initiative.


Why Healthcare Workers Are Prime Targets for Cyberattacks

Healthcare workers are, unfortunately, a favorite target for malicious actors for a few reasons. First, healthcare data is incredibly valuable; it contains personal health information and financial details that can be sold on the black market. Second, the fast-paced nature of healthcare environments can lead to employees being more susceptible to phishing attempts.

What Can We Do About It?

The good news is that you don’t have to choose between frustrating your staff and leaving the door open to hackers. Here are some key considerations for fighting MFA fatigue.

Get smarter with risk-based authentication. Not every login needs MFA. Adapt your process to risk level. Low-risk actions shouldn't need them, saving your staff hassle.

Underscore the need for education. People are your first line of defense. Teach your staff the value of MFA, how to identify suspicious requests (even when they just want to make the alerts stop) and why healthcare is such a tempting target for cyberattacks.

Consider FIDO2. Look into advanced standards, such as FIDO2, that use security keys or built-in biometrics. These are harder to fake and less annoying for users.

DISCOVER: Simplify identity and access management with expert guidance.

Rethink push notifications. They’re the simplest to set up but the easiest to abuse. Explore alternatives, such as one-time codes or hardware tokens.

Have a plan for when attacks happen. Train staff on how to report attacks related to MFA fatigue. Swift action can drastically limit the damage.

Offer clear explanations. Give context with MFA requests, such as device or location. A little information helps people make better decisions.

Don’t MFA them into oblivion. Adapt the frequency of prompts based on user history to limit unnecessary ones.

Combatting MFA Fatigue Is Not Just About the Tech

Ultimately, it's a balancing act. MFA fatigue highlights the fact that good cybersecurity isn’t just technical; it's about making security work with your staff, not against them.

Harry Campbell/Theispot

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT