Tech & Innovation in Healthcare

On Aug. 10, 2023, the Health Sector Cybersecurity Coordination Center (HC3) published new guidance on multifactor authentication (MFA). The guidance breaks down why MFA is a crucial security measure, explains how issues can arise from MFA use, and instructs how threat actors can circumvent the security measure to gain access to your organization’s network.

MFA involves three factors to authenticate the user: something someone knows; something someone has; and something that is unique to the user. Implementing MFA helps make it more difficult for threat actors to gain unauthorized access to the user’s account, your healthcare network, and your organization’s protected data. MFA differs from two-factor authentication (2FA) in that 2FA requires only the user to prove their identity twice whereas MFA requires two or more forms of authentication to prove the user’s identity.

Common forms of MFA authentication include:

• Hardware tokens
• Text messages with one-time passwords (OTPs)
• Software tokens
• Push notifications
• Biometric identifiers

HC3 noted that an MFA system equipped with artificial intelligence (AI) can help bolster an organization’s security and lower its risk. “AI-based systems are more effective at detecting and stopping fraud and can also be used to verify the identity of users in real-time. This method will make it much more difficult for hackers to gain access to sensitive information,” HC3 wrote in the guidance.

The agency did recognize the effectiveness of phishing and smishing attacks in bypassing MFA protections. One attack method is an MFA fatigue attack. This occurs when a user is sent multiple MFA push notifications with the threat actor hoping the recipient will approve one of the login requests, which will provide the attacker with access to the account.

The healthcare industry continues to be a prime target for cyberthreat actors, which is why it’s critical to secure and protect sensitive data. HC3 lists the benefits of MFA as: