Future-Proof Authentication & Compliance for Healthcare – Yubico

Healthcare continues to remain one of the most highly targeted industries by cyber criminals. In fact, with the COVID-19 pandemic, the industry has seen a doubling of the number of cyber attacks – attacks which are both costly ($9.23 million, on average) and disruptive. What’s even more troubling is that these attacks are likely to increase with the expansion of remote and virtual healthcare services and the need to support greater access and exchange of electronic health information in compliance with the CURES Act.

Regulatory change is on the horizon for healthcare and pharmaceutical organizations. The aforementioned CURES Act, a revised HIPAA, EPCS (SUPPORT Act), 21 CFR Part 11, and various State and Federal laws (including the new EO 14028) are all introducing new and more stringent requirements around “appropriate” access controls and authentication. As we outline in our new whitepaper, it is clear that passwords are no longer enough to comply with regulatory requirements.

But we recognize that healthcare organizations face unique challenges when it comes to implementing strong authentication solutions. Those challenges include: legacy systems, smart health equipment, mergers & acquisitions, BYOD and shared devices, sanitation, mobile restrictions, and the growth in non-employee providers working within healthcare systems. 

If your healthcare organization was looking to deploy MFA to check the box on compliance, you might try to fill the gaps in your authentication strategy with any MFA solution – but you may quickly realize that just checking the box is not enough, because not all MFA is created equal when it comes to security and user experience. 

Research by Google, NYU, and UCSD based on 350,000 real-world hijacking attempts revealed that a SMS-based OTP only blocked 76% of targeted attacks and a push app only blocked 90%. 

The Importance of User Experience in Healthcare Authentication

43% of organizations cite user experience as the top obstacle to using MFA. Users may be tasked with long and complex authentication experiences every time they log into a device or healthcare software such as the EHR or clinical communication systems. Further, healthcare providers may be prompted to re-authenticate to support critical workflow steps such as ePrescribing, placing orders, or adding a time-stamped signature. 

Let’s break down how the choice in MFA can impact user experience:

  • Administrative Overhead –  Does the solution require multiple steps to authenticate? Does the solution require mobile connectivity (to receive or create OTP codes) or special hardware (card readers)? Consider a solution that reduces the time or steps to securely authenticate to increase productivity and reduce user fatigue. 
  • Sanitation – Does the solution take PPE or clean room environments into account? Consider solutions that do not require degloving, i.e. fingerprint biometrics are impractical.
  • Restricted Access – Does the solution work beyond the walls of the hospital? Does the solution work with non-employee providers? Does the solution work in areas with mobile restrictions such as clean rooms or call centers? 
  • IT support – Does the solution still leverage password as the first factor (which continues to add up to $1 million each year in support costs for large organizations)? How is the solution impacted by loss or theft of any ‘something you have’ factor?

When evaluating MFA solutions, know that different solutions have different benefits for both security and user experience. Without carefully evaluating both sides, you may end up with something that doesn’t completely address your compliance and security requirements and can negatively impact user experience. 

However, there is a solution that can have a positive impact on both security and user experience.  

Passwordless Authentication with the YubiKey

The future of authentication in healthcare does not include adding second or third factors to increase security; the future of authentication is user-friendly, secure passwordless authentication that is simple to implement with the YubiKey. The YubiKey helps healthcare organizations bridge to a passwordless future from their current state of authentication across both inside and outside their organization, whether username and password or smart card or mobile 2FA. 

With the YubiKey, users receive a true passwordless experience— they simply plug their security key into their desktop or laptop and touch to authenticate, or tap their security key against modern devices such as tablets or phones. Where sterile environments are important, the YubiKey can be combined with a wearable to leverage NFC communication for a touchless authentication experience. We even wrote a blog about this several months ago about how a biopharmaceutical company solved NFC authentication with a YubiKey and wristband.

Healthcare and pharmaceutical organizations looking at authentication only as a compliance check box are leaving themselves open to potential security breaches and lower productivity. 

To learn more about how leading healthcare organizations are meeting regulatory requirements by deploying future-proof MFA that users actually want to use, read our whitepaper, Modern strong authentication and compliance for Healthcare Organizations.

Talk to our teamTalk to our team

Share this article:


  • Digital security’s unique role in protecting our environmentAs sustainability expands to include social, economic, and technological challenges, cybersecurity has emerged as a top global threat – with cybercrime projected to cost $12 trillion this year. Stolen credentials and phishing account for 80% of breaches. At Yubico, making the world more secure is just part of how we care for the world around […]Read moreCSREarth DaySecure It ForwardSustainability
  • Breaking down Australia’s plan to combat AI-driven phishing scamsAcross Australia, cybercrime continues to be a major challenge impacting businesses, critical infrastructure and consumers alike. The use of AI by bad actors across the spectrum of cybercrime is on the rise, and as a result, credential phishing scams are becoming increasingly sophisticated. AI is effectively helping to lower the cost of phishing and increase […]Read moreAIAPACAustraliaphishing
  • 5 fast cybersecurity tips to clean up your digital lifeWith today being Identity Management Day, now is the perfect time to take stock of your online presence, update security settings, and ensure that your personal data remains protected from cyber threats like phishing. We’re also seeing increasing concerns of DeepSeek and other AI tools around data privacy making these kinds of attacks more successful […]Read morebest practices
  • Navigating the PCI DSS 4.0 transition and meeting compliance with phishing-resistant YubiKeysIn just a few days, on March 31, 2025, decision makers in industries that involve payment processing – including financial services, retail & hospitality and telecommunications – are tasked to finalize the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0. This deadline marks a critical juncture for all organizations handling payment card […]Read moreNISTPCI DSSPCI DSS 4.0