Cyber Security and the Use of Multifactor Authentication in Healthcare

Many years ago, I was having a conversation with the Chief Compliance Officer (CCO) of a large medical practice. Their system had been comprised by a phishing attack and the hackers were able to access Protected Health Information (PHI) for weeks before being detected. It was a costly and painful experience to go through for both the practice and their patients; one that has become far too common in our industry.

“Phishing” is defined as the fraudulent practice of sending emails or other messages purporting to be from reputable companies, in order to induce individuals to reveal personal information, such as passwords and credit card numbers. In this instance, employees had received a message saying that they had been logged out of their system and needed to log back in with their username and password. The login screen looked identical to what they were used to seeing, and multiple staff fell victim to the ruse.

The CCO then went on to mention, “Had we implemented multifactor authentication (MFA), this likely never would have happened”. That statement resonated with me. I began thinking, why is it that the banking industry has been taking these precautionary measures for decades, with healthcare being so far behind?

Perhaps this has to do with the value of a patient dossier, as it pertains to identity theft. According to in 2018, a stolen social security number sells for $0.53 and the details of a payment card sells for $5.40, but a healthcare record for one person is worth an average of $250.15 when sold. To quote Willie Sutton on why he robbed banks, “That’s where the money is”.

In healthcare, there are multiple sources of patient dossiers. Hospitals, medical practices and billing companies are on the top of that list. Although you’d think that all would be using MFA by this point, you’d be wrong. Most hospital systems have implemented it, but few medical practices and revenue cycle management companies have done the same. Incredibly, one of the main reasons cited is employee inconvenience, which seems like a small price to pay to avoid a massive data breach. MFA uses a second tier of credentialing, so even if someone’s username and password is compromised, hackers still need access to the employee’s mobile device in order to access the respective platform. Push notifications are recommended over text messages containing access codes, and there are also “dongle” options available that can unlock software, similar to a key fob.

In my opinion, there’s no excuse for any healthcare company not using MFA with so many HIPAA breaches occurring. Granted, it’s a front level deterrent that won’t protect you from all cyber risks, but it’s absolutely necessary. If you’re not currently using it and haven’t experienced a data breach, consider yourself lucky. To get this important protection in place, it’s recommended that you talk to your IT department and Compliance Officer, if either entity exists within your organization. If not, check with your email provider. Many (like Microsoft Office) have free or inexpensive options available to you.

The bottom line is that inaction only increases your company’s liability, which should be a fiduciary responsibility of your board and key compliance executives. If you use third-party vendors that access, utilize and store PHI like billing companies, ask to see their annual SOC 2 Type 2 certification (a thorough process audit to assess corporate risk areas) and request an attestation that they use MFA. If they can’t provide you with both, it may be time to put out an RFP.

Hal Nelson, Vice President Anesthesiology Services


VP of Anesthesiology Services

Hal has 30+ years of experience on both the payor and RCM side, with a focus in Anesthesia. He formerly worked as a senior claims approver at United Healthcare, as well as a compliance officer for multiple national anesthesia billing companies. His broad-based experience ensures that MSN clients have a resource for documentation and billing issues. His past speaking engagements include ASA, MGMA, Dartmouth, and Johns Hopkins.

All rights reserved. No part of this document may be reproduced or used in any manner without the written consent of MSN Healthcare Solutions, LLC.

Share this post:

Related Posts

MSN Services Inquiry

If you would like to learn more about MSN services for your practice, please call us or use the form below.

1-866-567-7405  / Local: 706-653-8150

Interested Services:

MSN Email Sign Up

Proactive communication and education are essential to running efficient and profitable practices.

Sign up below to receive regular industry news!