IT Focus: Building MFA into the Workflow

Jul 18, 2023 at 10:21 am by kbarrettalley

By Jane Ehrhardt

“It’s not an option as to whether you use MFA or not under HIPAA. If it’s available and you don’t use it, you’ve got problems,” says Russ Dorsey, CIO with Kassouf & Co. Multifactor authentication (MFA) requires a user to present a combination of credentials to verify their identity to gain access to a device or software.

The multifactor refers to the many forms in which a user can prove their identity. The five basic MFA categories are knowledge, such as a password; possession, like getting a code sent to the user’s phone; biologically with face recognition or fingerprints; a behavior, like drawing a shape on a screen; and location.

“Implementing MFA is also key to cyberinsurance,” says Ed Lawrence, chief technology officer with Simplified Medical Management. “If you don’t use it, it can dramatically increase your premiums. Even worse, claiming to use MFA, but not implementing it means the insurer will not pay resulting claims.

“We still see practices that don’t implement MFA at all because it’s a disruption, especially in healthcare, where providers need to move throughout the facility, making it a pain to retype in credentials and one-time passwords (OTP) every time the provider enters another exam room.”

But other measures can be taken to shore up exposure points and lessen the need for continuous MFA usage. “If it’s a big inconvenience as you go in and out of rooms, it would be appropriate to say, while I’m in the clinic, all I need is my username and password,” Dorsey says.

This would allow access to the EMR or devices only while in the clinic. Users would then need to enter the one-time code sent to their phone or fob just once or twice a day, because the geolocation authentication replaces that OTP step. “Then they’re good for eight hours. All you need is your user name and password from then on,” Dorsey says, though he suggests a second OTP sign-in after lunch.

Limiting access by time also shrinks that vulnerability bubble. This is accomplished, for example, by not allowing log-ins on the EMR or admin files during certain times of day and blocking emails from overseas. Use a geofilter with webmail to limit sources to within the US or even the clinic. “Office 365 has some of these options, and IT vendors know how to turn that on,” Dorsey says. “These things minimize that footprint, so users don’t have to hit those codes every 10 minutes.”

OTP itself is now coming under fire. “The problem is texted one-time passcodes can be scanned, because they’re not encrypted,” Lawrence says, listing social engineering, SIM card swapping, and man-in-the-middle as tactics used by malicious actors.

In 2021, Syniverse, a company that routes 740 billion text messages each year for 319 carriers, including Verizon, T-Mobile, and AT&T, revealed a hacker had been accessing its databases for five years. “They could have been just watching texts go back and forth. That’s why OTP codes and SMS codes are not considered safe. But you have to be fairly sophisticated to take advantage of them,” Dorsey says.

That texted code also generally stays valid a long time in cyber terms — ten to 30 minutes. The new, more secure venue for delivering the code or allowing for facial recognition lasts only ten to 60 seconds. Dubbed time-based one-time password, TOTP is generated by third-party apps, primarily Cisco Duo, Microsoft Authenticator, and Google Authenticator. “In the last two years, Microsoft, Google, all the big online vendors have been moving away from SMS text messaging,” Lawrence says.

Hackers have already found a loophole, called push fatigue. Users can choose to set their authenticator app to replace entering the sent code into the website or app with simply punching “yes” in response to a push notification. Cybercriminals found that if they sent a bunch of push notifications at awkward times, like in the night or during mealtimes, people got frustrated by the endless alerts and finally hit ‘yes.’ “It’s a convenience, but it turned out to be a bad thing,” Dorsey says. “You want the authenticator app to give you a number to put back into the website. That’s considered about the safest option.”

The unending need to adapt can frustrate people. “Doctors say MFA is too much, so they just don’t do it, and that’s the wrong choice,” Dorsey says. “These types of authentications are never going to be bulletproof, but they are HIPAA-proof. And there’s a way to do it and not kill your workflow.”

Sections: Business

March 2024

Mar 20, 2024 at 11:19 am by kbarrettalley

Your March 2024 Issue of Birmingham Medical News is Here!