Feds Urge Healthcare Providers, Vendors to Use Strong MFA

Federal regulators are once again reminding healthcare entities and their vendors of the importance of utilizing strong multifactor authentication in helping to fend off hacks and other compromises – but they warn about avoiding common mistakes of MFA.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

Robust authentication – especially multifactor authentication – provides the first line of defense against intrusions and attacks, and the No. 1 mistake is not implementing multifactor authentication to begin with, according to a Department of Health and Human Services’ Office for Civil Rights bulletin issued Friday.

“Healthcare is lagging when it comes to fully adopting multifactor authentication,” said Tom Walsh, president of privacy and security consultancy tw-Security. “Some of this could be because of legacy applications and systems that do not support MFA,” he told Information Security Media Group.

But resistance by clinicians to using multifactor authentication is not as big of a deterrent to implementing MFA in healthcare environments as was in the past, he said. “Most people are already using MFA for other personal accounts such as online banking. I think the lag in implementing MFA comes down to resources – money, time and qualified staff to implement MFA.”

Also, not all multifactor authentication solutions are equally effective, HHS OCR warns. “Some may be more prone to compromise than others,” the agency writes.

“Authentication that requires a user to present multiple instances of the same factor is not multifactor authentication,” HHS OCR writes. For example, “an authentication process requiring a password and PIN is not multifactor authentication because both factors are ‘something you know,'” the agency said.

Some entities still don’t fully understand that multifactor authentication requires the use of two or more distinct factors. That includes something the users knows – like a password or PIN; something the user possesses – like a security token or smart ID card; or something inherent to that user, such as a fingerprint, facial recognition other biometric data, HHS OCR writes.

According to Walsh, one of the most commonly used MFA techniques in healthcare sends a six-digit code via SMS text message or email to a mobile device. “This is probably the least secure,” he warned.

Other MFA requires some type of authenticator app that has to be loaded on a smartphone, he said. Also, “there is still the old-school physical token – for example, RSA SecurID – which tends to be a little more secure than relying on a mobile device, which can be lost or stolen,” he said.

Weak authentication practices have been central to many recent high-profile cyberattacks and major data breaches, HHS OCR noted. And that’s not just in the healthcare sector, the agency said.

For instance, in a 2021 ransomware attack against a major food company that processes approximately 20% of the U.S. meat supply, perpetrators gained initial access by compromising an old administrator account secured with only a “weak password,” the agency said.

The case likely refers to the world’s largest meat supplier, Brazilian-based JBS, which was hit with a ransomware attack that shut down its servers in North America and Australia disrupting operations for about a week.

Earlier Warnings

In fact, HHS OCR is the latest federal agency pushing for more widespread adoption of multifactor authentication.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly last October during an address at a FIDO Alliance conference also urged technology vendors to “forcefully nudge” users into MFA (see: US CISA Official: ‘Forcefully Nudge’ Users Into MFA).

CISA recommends entities implement phishing resistant multi-factor authentication, which can help detect and prevent disclosures of authentication data to a website or application masquerading as a legitimate system, the HHS bulletin says.

For instance, phishing-resistant multifactor authentication could require a password or user biometric data, combined with an authenticator such as a personal identity verification card or other cryptographic hardware or software-based token authenticator, such as FIDO with WebAuthn authenticator, HHS OCR adds.

“The layered defense of a properly implemented multifactor authentication solution is stronger than single-factor authentication such as relying on a password alone,” HHS OCR writes.

Walsh suggests that healthcare-sector entities consider integrating password vaults with MFA. Also, “passwordless authentication is probably in the future but we haven’t seen it implemented in healthcare,” he said.

But bottom line, “any MFA is probably better than no MFA,” he added.