HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks

The healthcare industry experiences more than its fair share of phishing attacks. Each week, several phishing attacks are reported by healthcare organizations that have resulted in the exposure or theft of protected health information. In the majority of cases, those attacks could be prevented by following basic cybersecurity best practices.

Cyberattacks are becoming more sophisticated, but the majority of attacks are not. They involve the use of default and commonly used passwords in brute force attacks or basic phishing emails.

Brute force attacks can be thwarted by creating and enforcing strong password policies. It should not be possible for users to use dictionary words as passwords or commonly used weak passwords such as 12345678. Accounts are also commonly breached due to password re-use. Figures from Microsoft suggest 73% of users duplicate passwords on work and personal accounts. If a personal account is breached, the password can be used to access the user’s work account.

Many phishing emails succeed in bypassing anti-spam defenses. A recent report from Avanan suggests as many as 25% of phishing emails are not blocked by Exchange Online Protection (EOP) – Microsoft’s default anti-phishing control for Office 365. It is therefore essential for additional controls to be implemented to prevent those messages from resulting in a data breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All employees should be provided with regular security awareness training and should be instructed how to identify phishing emails. Legacy authentication should also be blocked. Other protections include the spam filters, anti-malware solutions, and web filters, but according to Microsoft, there is one solution that blocks 99.9% of automated cyberattacks: Multi-factor authentication.

Multi-factor authentication is the use of more than one method of verifying the identity of a user. In addition to a password or passphrase that only the account holder knows, additional factors are required such as the use of a token or biometric verification. If an attempt is made to logon to an account from an unfamiliar device or location, the second authentication factor comes into play. That could be a text message sent to the user’s mobile phone.

Even though MFA is an effective way of preventing unauthorized account access and preventing data breaches, many healthcare organizations only implement MFA once they have experienced a breach.

In a recent blog post, Microsoft explains that more than 300 million fraudulent sign-in attempts are made to its cloud services every day and the number of attacks is continuing to rise. Even if a username and password is compromised, multi-factor authentication will prevent those credentials from being used to gain access to an account.

“Based on our studies, your account is more than 99.9 percent less likely to be compromised if you use MFA,” said Alex Weinert, Microsoft’s Group Program Manager for Identity Security and Protection. “Your password doesn’t matter, but MFA does.”

Many organizations are reluctant to implement MFA as they feel it is complicated and will have a negative impact on workflows, when that is not necessarily the case. To keep disruption to a minimum, organizations can implement MFA on the most critical accounts or adopt a role-based approach. MFA can then be expanded from there.

MFA is not infallible, but it is one of the single most important measures to implement to block cyberattacks and ensure that responses to phishing emails and poor password choices from resulting in a costly data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.