An interview with ModMed’s chief information security officer, Jay Schwitzgebel
Chances are, you encounter multifactor authentication every day. It is that token or code you enter to access your bank account. The button you push to access your email, that convenient facial recognition feature on your iPhone. And with the arrival of the 21st Century Cures Act Final Rule and new requirements from cyber insurance underwriters, there’s been a renewed push for multifactor authentication in healthcare — and that’s a good thing. To find out more about this important authentication feature, we sat down for a conversation with Jay Schwitzgebel, chief information security officer at ModMed®.
ModMed: What is multifactor authentication?
Jay: Multifactor Authentication, or MFA (or sometimes 2FA for “2-factor authentication”), is an authentication method that requires you to provide two or more authentication methods to access software, applications, an online account or virtual private network (VPN).
ModMed: What is an example of multifactor authentication? How does it work?
Jay: One example that’s probably quite common is using multifactor authentication to access your email, a website or an application. Essentially, you enter your username and password, and then you’re asked to provide a numeric code that was texted to your phone, sent to your email address, or that appears in an authentication app installed on your smartphone. You enter the information where prompted, and you are authenticated.
ModMed: Why aren’t passwords enough anymore?
Jay: For years, we’ve heard that passwords should be at least 8 characters and complex. It should contain upper and lowercase letters, numbers and special characters — and this guidance still holds true, as a bare minimum.
But, modern computer processors are incredibly powerful now. They can guess millions of passwords in a matter of seconds, which is essentially the strategy behind what is called a “brute-force attack” by hackers.
Remember: whatever you know, someone else could know it. Hackers steal or guess passwords all the time, and they use very sophisticated means to do so.
ModMed: What is the industry standard for multifactor authentication?
Jay: Our EHR systems are 2015 ONC-certified. The Office of the National Coordinator for Health Information Technology (ONC) sets the standard for multifactor authentication in our industry, which includes at least two of the following:
- Something you know, such as a password or a personal identification number (PIN).
- Something you have, such as a mobile phone, card, badge, token, access key, etc.
- Something you are, such as your fingerprints, facial features and other biometric information.
Each layer of defense raises the level of security, and the more layers of security you have in place, the more barriers a potential hacker has to get through.
ModMed: Why is multifactor authentication important for healthcare IT solutions?
Jay: Healthcare continues to be a top target for hackers. Practices, hospitals and healthcare systems are often likely to pay a ransom if affected by a ransomware attack. They need to get their systems back up and running, so they can continue to care for patients.
Our clients use cloud-based software because it’s mobile, scalable and has additional security features. Multifactor authentication helps to validate that users are who they say they are — wherever they are. This is especially important for healthcare professionals who are mobile or work from home.
It’s also worth mentioning that many insurers are requiring that MFA is employed when accessing sensitive information. In fact, MFA is fast becoming a requirement to get cybersecurity coverage or to renew your current policy.
ModMed: Is multifactor authentication required as part of the 21st Century Cures Act Final Rule?
Jay: It isn’t required, but vendors need to attest that they offer it as an option, which we do.
ModMed: How does multifactor authentication work in EMA® and gGastro®?
ModMed: What are some barriers to using multifactor authentication?
Jay: People forget passwords, and typing in a token or taking another MFA step can feel cumbersome. It really comes down to user experience — adding those additional layers of security and still making it as easy as possible for people to log in. For example, some systems allow you to select a “remember me for 30 days” (or similar) option, which may make access easier, but it isn’t as secure as authenticating with MFA every single time.
Also, if you are planning to roll out multifactor authentication to a larger organization, you’ll likely need a training plan, and you’ll need to be prepared for the possibility of additional help desk calls until users become accustomed to the new workflow.
ModMed: Do you recommend that practices use multifactor authentication?
Jay: Yes. It is an essential and easy way to add another layer of security. The healthcare industry is a frequent target for hackers and every medical organization should be doing all they can to protect their patients’ information.
This blog is intended for informational purposes only and does not constitute legal or medical advice. Please consult with your legal counsel and other qualified advisors to ensure compliance with applicable laws, regulations, and standards.