Feds Urge Healthcare Providers, Vendors to Use Strong MFA
HIPAA-Covered Entities, Third Parties Reminded to Avoid Authentication Mistakes
… “Healthcare is lagging when it comes to fully adopting multifactor authentication,” said Tom Walsh, president of privacy and security consultancy tw-Security. “Some of this could be because of legacy applications and systems that do not support MFA,” he told Information Security Media Group.
But clinicians’ resistance to using multifactor authentication is not as big of a deterrent to implementing MFA in healthcare environments as it was in the past, he said. “Most people are already using MFA for other personal accounts such as online banking. I think the lag in implementing MFA comes down to resources – money, time and qualified staff to implement MFA.”
… According to Walsh, one of the most commonly used MFA techniques in healthcare sends a six-digit code via SMS text message or email to a mobile device. “This is probably the least secure,” he warned. Other MFA requires some type of authenticator app that has to be loaded on a smartphone, he said. Also, “there is still the old-school physical token – for example, RSA SecurID – which tends to be a little more secure than relying on a mobile device, which can be lost or stolen,” he said.
… Walsh suggested that healthcare sector entities consider integrating password vaults with MFA. Also, “passwordless authentication is probably in the future but we haven’t seen it implemented in healthcare,” he said.
But the bottom line, he added, is that “any MFA is probably better than no MFA.”
For more information or to schedule a FREE initial consultation – contact tw-Security.
Read More
