Healthcare continues to remain one of the most highly targeted industries by cyber criminals. In fact, with the COVID-19 pandemic, the industry has seen a doubling of the number of cyber attacks – attacks which are both costly ($9.23 million, on average) and disruptive. What’s even more troubling is that these attacks are likely to increase with the expansion of remote and virtual healthcare services and the need to support greater access and exchange of electronic health information in compliance with the CURES Act.
Regulatory change is on the horizon for healthcare and pharmaceutical organizations. The aforementioned CURES Act, a revised HIPAA, EPCS (SUPPORT Act), 21 CFR Part 11, and various State and Federal laws (including the new EO 14028) are all introducing new and more stringent requirements around “appropriate” access controls and authentication. As we outline in our new whitepaper, it is clear that passwords are no longer enough to comply with regulatory requirements.
But we recognize that healthcare organizations face unique challenges when it comes to implementing strong authentication solutions. Those challenges include: legacy systems, smart health equipment, mergers & acquisitions, BYOD and shared devices, sanitation, mobile restrictions, and the growth in non-employee providers working within healthcare systems.
If your healthcare organization was looking to deploy MFA to check the box on compliance, you might try to fill the gaps in your authentication strategy with any MFA solution – but you may quickly realize that just checking the box is not enough, because not all MFA is created equal when it comes to security and user experience.
Research by Google, NYU, and UCSD based on 350,000 real-world hijacking attempts revealed that a SMS-based OTP only blocked 76% of targeted attacks and a push app only blocked 90%.
The Importance of User Experience in Healthcare Authentication
43% of organizations cite user experience as the top obstacle to using MFA. Users may be tasked with long and complex authentication experiences every time they log into a device or healthcare software such as the EHR or clinical communication systems. Further, healthcare providers may be prompted to re-authenticate to support critical workflow steps such as ePrescribing, placing orders, or adding a time-stamped signature.
Let’s break down how the choice in MFA can impact user experience:
- Administrative Overhead – Does the solution require multiple steps to authenticate? Does the solution require mobile connectivity (to receive or create OTP codes) or special hardware (card readers)? Consider a solution that reduces the time or steps to securely authenticate to increase productivity and reduce user fatigue.
- Sanitation – Does the solution take PPE or clean room environments into account? Consider solutions that do not require degloving, i.e. fingerprint biometrics are impractical.
- Restricted Access – Does the solution work beyond the walls of the hospital? Does the solution work with non-employee providers? Does the solution work in areas with mobile restrictions such as clean rooms or call centers?
- IT support – Does the solution still leverage password as the first factor (which continues to add up to $1 million each year in support costs for large organizations)? How is the solution impacted by loss or theft of any ‘something you have’ factor?
When evaluating MFA solutions, know that different solutions have different benefits for both security and user experience. Without carefully evaluating both sides, you may end up with something that doesn’t completely address your compliance and security requirements and can negatively impact user experience.
However, there is a solution that can have a positive impact on both security and user experience.
Passwordless Authentication with the YubiKey
The future of authentication in healthcare does not include adding second or third factors to increase security; the future of authentication is user-friendly, secure passwordless authentication that is simple to implement with the YubiKey. The YubiKey helps healthcare organizations bridge to a passwordless future from their current state of authentication across both inside and outside their organization, whether username and password or smart card or mobile 2FA.
With the YubiKey, users receive a true passwordless experience— they simply plug their security key into their desktop or laptop and touch to authenticate, or tap their security key against modern devices such as tablets or phones. Where sterile environments are important, the YubiKey can be combined with a wearable to leverage NFC communication for a touchless authentication experience. We even wrote a blog about this several months ago about how a biopharmaceutical company solved NFC authentication with a YubiKey and wristband.
Healthcare and pharmaceutical organizations looking at authentication only as a compliance check box are leaving themselves open to potential security breaches and lower productivity.
To learn more about how leading healthcare organizations are meeting regulatory requirements by deploying future-proof MFA that users actually want to use, read our whitepaper, Modern strong authentication and compliance for Healthcare Organizations.