Tech & Innovation in Healthcare

Technology & Innovation:

Don’t Rest on MFA Protections

Published on Wed Dec 11, 2024

Question: Our IT team requires us to use multifactor authentication (MFA) for all logins throughout our healthcare organization. I understand the need for added security measures, but several staff members have complained of the need for MFA when they need to access multiple systems throughout the workday.

Aside from protection, why do we need to use MFA so much in healthcare?

RCI Subscriber

Answer: Implementing MFA in your healthcare organization certainly helps with protecting the sensitive information on your network from falling into the wrong hands, but it also helps the users develop healthy habits for accessing different systems.

Cyberthreat actors prey on a user’s exhaustion from receiving multiple MFA texts, phone calls, or emails to gain access to the user’s account. This tactic is known as MFA fatigue, MFA spamming, MFA prompt spamming, or MFA bombing.

Typically, the malicious person already has the user’s login information and then bombards the user with MFA prompts or text messages until the user becomes fed up and approves the MFA request. This simple approval provides the malicious threat actor with access to the user’s account.

Using MFA processes multiple times per day may be tiresome, especially in healthcare settings where you need to access emails, electronic health records (EHRs), and web-based time clocks, but taking the extra step each time will help protect your patients’ data. Safeguard your organization’s information with the following MFA best practices:

Number matching: The user types in a specific code provided via a text message or an authenticator app.
Context displays: A screen appears on a physical device, such as a smartphone, with additional information like IP address, location, and operating system. The user must confirm the information to complete the login.
Automate password changes: Users who are receiving repeated MFA approval requests from bad actors are considered at risk of a breach. IT teams can automatically generate new passwords for the users to reduce the risk and help stop malicious entities in their tracks.

Mike Shaughnessy, BA, CPC, Development Editor, AAPC

Tech & Innovation in Healthcare

Technology & Innovation:
Everything You Need to Know About Participating in the TEFCA
TEFCA allows for secure information sharing between health information networks. A reliable, secure way to [...]

Technology & Innovation:
Precisely View at all Distances With IOLs
Question: I’ve recently heard of intraocular lenses (IOLs) to treat patients with vision difficulties. What [...]

Technology & Innovation:
Don’t Rest on MFA Protections
Question: Our IT team requires us to use multifactor authentication (MFA) for all logins throughout [...]