Future-Proof Authentication & Compliance for Healthcare – Yubico

Healthcare continues to remain one of the most highly targeted industries by cyber criminals. In fact, with the COVID-19 pandemic, the industry has seen a doubling of the number of cyber attacks – attacks which are both costly ($9.23 million, on average) and disruptive. What’s even more troubling is that these attacks are likely to increase with the expansion of remote and virtual healthcare services and the need to support greater access and exchange of electronic health information in compliance with the CURES Act.

Regulatory change is on the horizon for healthcare and pharmaceutical organizations. The aforementioned CURES Act, a revised HIPAA, EPCS (SUPPORT Act), 21 CFR Part 11, and various State and Federal laws (including the new EO 14028) are all introducing new and more stringent requirements around “appropriate” access controls and authentication. As we outline in our new whitepaper, it is clear that passwords are no longer enough to comply with regulatory requirements.

But we recognize that healthcare organizations face unique challenges when it comes to implementing strong authentication solutions. Those challenges include: legacy systems, smart health equipment, mergers & acquisitions, BYOD and shared devices, sanitation, mobile restrictions, and the growth in non-employee providers working within healthcare systems. 

If your healthcare organization was looking to deploy MFA to check the box on compliance, you might try to fill the gaps in your authentication strategy with any MFA solution – but you may quickly realize that just checking the box is not enough, because not all MFA is created equal when it comes to security and user experience. 

Research by Google, NYU, and UCSD based on 350,000 real-world hijacking attempts revealed that a SMS-based OTP only blocked 76% of targeted attacks and a push app only blocked 90%. 

The Importance of User Experience in Healthcare Authentication

43% of organizations cite user experience as the top obstacle to using MFA. Users may be tasked with long and complex authentication experiences every time they log into a device or healthcare software such as the EHR or clinical communication systems. Further, healthcare providers may be prompted to re-authenticate to support critical workflow steps such as ePrescribing, placing orders, or adding a time-stamped signature. 

Let’s break down how the choice in MFA can impact user experience:

  • Administrative Overhead –  Does the solution require multiple steps to authenticate? Does the solution require mobile connectivity (to receive or create OTP codes) or special hardware (card readers)? Consider a solution that reduces the time or steps to securely authenticate to increase productivity and reduce user fatigue. 
  • Sanitation – Does the solution take PPE or clean room environments into account? Consider solutions that do not require degloving, i.e. fingerprint biometrics are impractical.
  • Restricted Access – Does the solution work beyond the walls of the hospital? Does the solution work with non-employee providers? Does the solution work in areas with mobile restrictions such as clean rooms or call centers? 
  • IT support – Does the solution still leverage password as the first factor (which continues to add up to $1 million each year in support costs for large organizations)? How is the solution impacted by loss or theft of any ‘something you have’ factor?

When evaluating MFA solutions, know that different solutions have different benefits for both security and user experience. Without carefully evaluating both sides, you may end up with something that doesn’t completely address your compliance and security requirements and can negatively impact user experience. 

However, there is a solution that can have a positive impact on both security and user experience.  

Passwordless Authentication with the YubiKey

The future of authentication in healthcare does not include adding second or third factors to increase security; the future of authentication is user-friendly, secure passwordless authentication that is simple to implement with the YubiKey. The YubiKey helps healthcare organizations bridge to a passwordless future from their current state of authentication across both inside and outside their organization, whether username and password or smart card or mobile 2FA. 

With the YubiKey, users receive a true passwordless experience— they simply plug their security key into their desktop or laptop and touch to authenticate, or tap their security key against modern devices such as tablets or phones. Where sterile environments are important, the YubiKey can be combined with a wearable to leverage NFC communication for a touchless authentication experience. We even wrote a blog about this several months ago about how a biopharmaceutical company solved NFC authentication with a YubiKey and wristband.

Healthcare and pharmaceutical organizations looking at authentication only as a compliance check box are leaving themselves open to potential security breaches and lower productivity. 

To learn more about how leading healthcare organizations are meeting regulatory requirements by deploying future-proof MFA that users actually want to use, read our whitepaper, Modern strong authentication and compliance for Healthcare Organizations.

Talk to our teamTalk to our team

Share this article:


  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU
  • Securing critical infrastructure from modern cyber threats with phishing-resistant authenticationAcross the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life – from the energy and natural resources powering our hospitals and providing clean drinking water, telco […]Read moreCISAcritical infrastructurezero trust
  • surface blog crownMicrosofts Surface Pro 10 möjliggör NFC-baserad lösenordsfri inloggning med YubiKeys, för företagDra fördel av det långvariga samarbetet mellan Microsoft och Yubico genom att distribuera YubiKeys tillsammans med den nya Surface Pro 10 enheten för ditt företag. Read morenfcpasswordless