1 minute read
Building MFA into the Workflow
By JAne ehrhArdt
“It’s not an option as to whether you use MFA or not under HIPAA. If it’s available and you don’t use it, you’ve got problems,” says Russ Dorsey, CIO with Kassouf & Co. Multifactor authentication (MFA) requires a user to present a combination of credentials to verify their identity to gain access to a device or software.
The multifactor refers to the many forms in which a user can prove their identity. The five basic MFA categories are knowledge, such as a password; possession, like getting a code sent to the user’s phone; biologically with face recognition or fingerprints; a behavior, like drawing a shape on a screen; and location.
“Implementing MFA is also key to cyberinsurance,” says Ed Lawrence, chief technology officer with Simplified Medical Management. “If you don’t use it, it can dramatically increase your premiums. Even worse, claiming to use MFA, but not implementing it means the insurer will not pay resulting claims.
“We still see practices that don’t implement MFA at all because it’s a disruption, especially in healthcare, where providers need to move throughout the facility, making it a pain to retype in cre- dentials and one-time passwords (OTP) every time the provider enters another exam room.”
But other measures can be taken to shore up exposure points and lessen the need for continuous MFA usage. “If it’s a big inconvenience as you go in and out of rooms, it would be appropriate to say, while I’m in the clinic, all I need is my username and password,” Dorsey says.
This would allow access to the EMR or devices only while in the clinic. Users would then need to enter the onetime code sent to their phone or fob just once or twice a day, because the geolocation authentication replaces that OTP step. “Then they’re good for eight hours. All you need is your user name
