Multifactor Authentication: An Extra Layer of Security for Healthcare Organizations and Business Associates

While attackers have long had their eyes on healthcare organizations for the sensitive personal health information (PHI) in their coffers, the increased adoption of telehealth services and remote teams have added incentive to seek out evolving security weaknesses.

Healthcare organizations and their business associates aren’t alone in this onslaught of potential attacks. As many industries adopt more distributed workforces outside of corporate facilities and into private homes and other places, the risks increase.

And no industry is immune.

In a rather sophisticated attack on Twitter’s CEO in 2019, hackers (likely) used a cellphone subscriber identity module (SIM) swap tactic to access his phone and then his account. Though Twitter was using SMS as a multifactor authentication (MFA) strategy, it switched its security practices to more secure options due to this attack.

A similar attack targeted crypto-currency wallets, leading to more than $2 million in crypto theft.

While these attacks took place within the tech world, similar risks exist for healthcare because organizations create, store, manage, and transmit that known commodity that attracts attackers-PHI.

So, what can you do? As a healthcare organization or a business associate, how can you decrease the chances that attackers can successfully breach your systems and network?

While MFA isn’t 100% hacker-proof, it continues to serve as an industry best practice. If you’re not already leveraging MFA for all of your organization’s users and assets, now is the time. Drawing on lessons learned from other successful breaches, your healthcare organization can implement MFA policies that make it even more difficult for attackers to breach your network and ensure you meet your HIPAA security and privacy requirements.

First, what is MFA?

MFA is a security enhancement that requires users to present two or more pieces of evidence when logging into an account or system.

In simple terms, MFA is an authentication measure that uses more than one piece of data to identify an individual or a system.

The National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) says MFA is “an authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors.”

Based on NIST guidance, three authentication factors are:

  • Something you know
  • Something you have
  • Something you are

For true MFA enablement, your organization needs two separate communication channels to avoid or defeat a man-in-the-middle (MitM) type of attack.

There are a couple of different umbrellas for MFA, but generally, they can be categorized as:

Knowledge Factor

With knowledge-based authentication, a user submits information likely only known to the user, for example, a pre-shared key (PSK) or password. Knowledge factor MFA may require a user to provide additional information like a personal security question answer. This type of MFA may include passwords, four-digit personal identification numbers (PINs), or one-time passwords (OTPs).

Possession Factor

Possession factor MFA uses objects such as a badge, token, key fob, SIM card, or others for logon. For example, a smartphone often provides the possession factor with a one-time password (OTP) app for mobile authentication. This is the most common way today’s organizations use the possession factor. It can be a software or hardware solution. Software-based tokens are referred to as soft tokens.

Inherence Factor

Inherence factor authentication uses biological traits for verification.


  • Retina/iris scan
  • Fingerprint scan
  • Voice authentication
  • Hand/earlobe geometry
  • Digital signatures
  • Facial recognition

Adaptive MFA

Adaptive MFA services access additional data points for system logon, for example, IP address, geolocation, time of day, conditional access policies, etc. to determine authorized access.

Implementing MFA for Your Healthcare Organization

So, what options do you have for implementing these various types of MFA tools for your healthcare organization? Here are a few examples to consider:

Out-of-Band Authentication (OOBA)

Out-of-band authentication (OOBA) requires two different signals from two different networks or channels. This more sophisticated authentication may prevent many kinds of fraud and hacking.

OOBA examples include:

  • SMS
  • Email
  • Voice call
  • In-person
  • Postal services
  • Push notifications to a mobile device
  • QR codes with encrypted transaction data
  • Biometric readers

Many organizations use OOBA during onboarding and account creation. For example, the organization establishes a new user account. It then communicates a username and password to the end-user (in this case, a new employee) via different means such as an email and a text message.

Dynamic and Conditional Access Policies

Dynamic and conditional access policies allow administrators to configure authentication and authorization procedures to address VPN connection, changes to intranet structure, data sensitivity, and remote access.

Windows introduced dynamic access control into the Windows Server product line with Windows Server 2012.

For cloud environments:

  • Microsoft Azure allows administrators to configure multiple conditional access policies.
  • Amazon Web Services (AWS) allows access control to AWS resources within identity and access management (I&AM) or all AWS via policies.
  • Google Cloud Services (GCS) provides administrators with the ability to use role bindings to tie I&AM policies to user roles.

These policies generally address:

  • User risk
  • Location
  • Device
  • Time of day

MFA Authentication Devices

While many organizations think of MFA in terms of mobile devices (text messaging or authenticator apps), the reality is that there is a range of MFA authentication device types. Here are some examples:

Hardware MFA

A hardware MFA device generates a random numeric code based upon a time-synchronized, one-time password algorithm. Users enter this code into a form field or pop-up window during authentication.

This type of MFA is generally more secure than virtual or software MFA devices.


  • USB
  • Key dongle
  • RSA token generator
  • Biometric scanners/readers

Virtual/software MFA

Virtual or software MFA is generally an application that operates on a mobile device emulating a physical device. These are commonly deployed MFA devices.


  • Google Authenticator
  • Microsoft Authenticator
  • Software tokens
  • Other authenticator apps
  • TOTP 2FA

U2F Security Keys

U2F security keys are devices users plug into a USB port on a computer. The FIDO Alliance oversees the U2F open-authentication standard.


  • YubiKey
  • FIDO U2F
  • uTrust
  • OnlyKey

MFA Benefits

While many healthcare organizations consider MFA as a way to meet some HIPAA Security Rule standards, the reality is that MFA should be part of your healthcare security program for many reasons, including increased expectations from insurers and other third parties.

In addition to that, here are some other benefits of MFA implementation:

  • Real-time OTP generation is an effective security control that makes it harder for attackers to intercept or abuse.
  • According to Microsoft, MFA reduces breach incidences by 99.9%.
  • It’s easy to setup new users.
  • Once in place, MFA can restrict access by time of day or location and adds another layer of security.
  • It’s scalable. You can use it on an individual user with multiple accounts or use the same authenticator app from an enterprise perspective.

And while there are many benefits, here are some MFA disadvantages to be aware of as well, but these shouldn’t detract you from considering MFA implementation:

  • Often, a mobile device is required.
  • Users can lose or have hardware stolen. Think about this, especially if your organization allows users to use their own devices to access your environment. What is your mobile device management policy or solution?
  • False positives and false negatives are possible, especially with biometrics. For example, if a user’s fingerprint isn’t directly on a scanner or if there is too much or too little pressure, a false negative may occur. When your team members try to use authentication for resource access, it can create a bad user experience.
  • There’s often a need to upgrade constantly. With any defense measure or control, there will always be a new attack that will surpass it. That means teams will have to devise new defensive measures. You may get into a cycle of constant upgrades once you have an MFA process implemented.
  • Those continuous upgrades and other factors can also influence costs in an upward trajectory.

MFA Best Practices

When it comes to which MFA option is best for your organization, that depends on a range of factors that are unique to your operation. You need to make decisions based on your user base. However, here are some best practice guidelines you may find helpful:

Follow NIST Guidance

NIST SP 800-63-3, Digital Identity Guidelines, identifies three components of digital identity associated with:

  • Identity proofing errors
  • Authentication errors
  • Federation errors

Implement User-Level Password Management Tools

Password managers are effective tools for creating a secure key store for users and fully complying with password policies and procedures related to complexity, re-use, and expiration. There are many password managers on the market. They range from free to subscription-based. Selecting the correct solution should be based on your organization’s unique requirements, resources, and constraints.

Single Sign-on (SSO) vs. Federated Identity Management (FIM)

Many organizations use single sign-on (SSO) and federated identity management (FIM) tools.

SSO adds security to your organization and your identity access management processes and helps your organization be more efficient (think of it in terms of a single domain). Generally, an FIM gives you access to multiple domains so you can streamline a user experience. This process doesn’t just keep users happier but also makes password reset processes more efficient.

A growing number of healthcare organizations are moving to adopt a single sign-on solution and implement some kind of FIM. Here are a few benefits of using both:


  • Enables access to applications and resources within a single domain
  • Reduces the number of user passwords needed for access to resources
  • Better customer experience
  • Improved productivity
  • Lower costs


  • Enables single-sign on to applications across multiple domains or organizations
  • Standard protocols include SAML, Oauth, OpenID Connect, and SCIM.
  • Third-party integrations, for example, Salesforce, Workday, and Zoom.
  • Trust relationships between an identity provider (IdP) and service provider (SdP)

The type of MFA your organization adopts-and how-will be based on a range of unique factors; however, with a 99.9% effective breach prevention rate, the question is, when will MFA become a part of your data security practices?

Need help deciding which MFA practices are best for your organization? Contact a Clearwater advisor today. We’ll be happy to help.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us