Beginning in 2022, many business insurers have changed their policy requirements for Healthcare Providers to include Multi-Factor Authentication for all users and all applications with access to protected information. This is not just your EHR, but file storage, form repositories, email systems, HR systems, etc. Organizations that aren’t utilizing MFA are being charged significant premiums for cyber insurance, if the companies are willing to quote them insurance at all. This change in requirements stems from trends over the last decade in IT security where people, not systems, are the weakest link. This makes MFA more than just a “nice to have” product and will directly affect your bottom line without it.
What makes staff the weakest link? According to Verizon, 67% of all breaches in 2020 were human error (loss of credentials, phishing, and social engineering), and HIPAA Journal has 82% of all healthcare incidents reported in December 2020 as human error. Depending on your source the numbers may differ slightly, but all security reports agree that the overwhelming majority of breaches occur due to human error. Password policies get circumvented or “gamed” by staff making them easy to guess or hack. Untrained staff fall for targeted phishing attempts where they outright give their credentials away. And frequently the same password is used multiple times across systems, and if one has been previously breached that password is exposed.
This is where MFA comes in. MFA requires staff to KNOW a thing and HAVE a thing in order to gain access to critical systems. In most cases “knowing” is simply a username/password combo and “having” is access to a smartphone. With this smartphone, the user can utilize applications or text message pushes to confirm their identity when they are logging in to their system.
Multi-Factor Authentication (or MFA for short) has evolved and become less obtrusive over the last decade. Single-sign on integration can remember your credentials from one application and carry it into other applications throughout your session. Additionally, these session durations can be defined by hours, days, weeks or months. These enhancements make layering MFA less obtrusive to normal daily workflow, and a real value add to your organization. With the cost of breaches and insurance skyrocketing, the addition of this simple technology will help to reduce your risk by better protecting you from your weakest link . . . your people!
All Thought Leadership