What Is Multi-Factor Authentication (MFA)?
Why You Should Be Investigating It For Your Medical Practice!

By Katie Nunn, MBA, CMPE

Multi-Factor Authentication or MFA sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence of your identity when logging into an online account.  By now, most of us use this for at least one of our personal bank accounts.  You log in, the website sends you a text message with a code, then you punch in that code and VIOLA, you’re in!  It is an extra step, but we do it, and it’s usually pretty straightforward.  

Multi-factor authentication mfaWhy do we have to take this extra step with Multi-Factor Authentication? 

Unfortunately, there are bad actors out there trying to get into systems and use the data in nefarious ways, which is an effort to stop them.  Usernames and passwords are vulnerable to brute force attacks, meaning bots that use formulas to try and guess your password.  Therefore, complicated passwords or pass phrases have become essential and using PASSWORD1 is not enough. Now having a password that changes every three months and is so complicated you can’t remember it, well, that isn’t enough either.

Now we must prove we are who we say we are.  The bad actors haven’t figured a good way to intercept that text to your phone or your email, so multi-factor authentication is an added layer of security.  But is this necessary for a medical group to have multi-factor authentication?  

The answer is YES, and here is why:

    1. Cyber Attacks in healthcare are on the rise.  Patient data is very valuable, and as healthcare providers, we have a lot of data.
    2. Healthcare is behind the technology curve.  We are still using fax machines to talk to each other, and that means our tech is older and easier to get into than other industries on the whole.  Furthermore, our staff is less tech-savvy than other industries, so we are more vulnerable to phishing and spear-phishing attacks. 
  • Cyber liability Insurance is going to start requiring it to grant coverage. Because of the increase in attacks, cyber liability insurance premiums are going up considerably.  There is no doubt that they will start requiring base levels of security to ensure medical groups.
  • Having a cyber-attack has the capability to cripple if not destroy a medical practice. The financial ramifications of being out of operations for days, weeks, or months are daunting, but that is only where the financial issues start when it comes to a breach. HIPAA and HITECH regulations require notices to affected patients and often credit reporting for affected patients, and those costs can be astronomical.

Where to start? 

The first place to start is with your EHR.  Some vendors have multi-factor authentication embedded in their systems already, and you may just need to turn it on.  However, this will vary from vendor to vendor and depends on how your EHR data is stored.  For example, is your data hosted in the cloud or do you have physical servers on-site?  

After investigating with your EHR vendor, the next step is your IT department or IT vendor.  They should be able to help you with pricing out and implementing MFA. 

When you decide it’s time for your medical group or practice to take on new opportunities, let Bright Ideas Medical Consulting help you optimize each opportunity. Ready to get started? Let’s talk.