Here’s a time old story.
A healthcare worker walks into a busy ICU and walks up to a terminal. The login screen comes up and she reaches under the desk for a worn sheet of paper on which is written her password. She logs in and pulls up the record for the client she’s caring for.
As healthcare IT administrators we put rules in place to control password complexity and expiry, but by doing so we may be shooting ourselves in the foot. Harder passwords are harder to remember and users have to write them down. They also tend to use them for every system they access, including those on the internet which may be less than secure.
The era when passwords were considered secure is coming to an end. Fortunately, there are other approaches that can really improve the situation, and the best of these is called multi-factor authentication.
As the name suggests, multi-factor authentication (or MFA) makes use of multiple components, otherwise known as factors, to secure logins. We tend to thing of these factors as being “something we know”, “something we have”, and “something we are”.
Let’s break that down a little.
- The “something we know” factor is a password, a pin, or some other code that we’ve memorized.
- The “something we have” factor can be a phone, a smartcard, or a multitude of other devices.
- The “something that you are” usually means biometric identification, most often in the form of fingerprint, although other techniques such as retina scan and facial recognition can be highly effective.
You can steal the “have” factor, or write down and lose the “know” factor, or fake the “are” factor by making a copy of a fingerprint, but the beauty of multi-factor authentication is that a combination of factors greatly increases the difficulty of breaking in.
Note that both your password and username are considered to be in the “something you know” category, and as such they are not sufficient to constitute multi-factor authentication!
Today Google, Apple, and many other consumer vendors allow for the use of your phone as a second factor. Both voice calls and SMS are used to communicate a secondary PIN code that greatly increases security. Within five years it’s unlikely that you’ll be able to find a consumer system that isn’t setup this way.
As usual, healthcare is lagging behind.
It’s fair to say that most hospitals don’t have biometric identification at workstations, nor do nurses walk around with smart-cards or receive pin codes on their phones. In fact, thanks to the DEA e-prescribing rules for controlled substances it’s doctors who are leading the charge.
It’s probably going to be a while before everybody else in the hospital catches up.
Legacy systems need to be upgraded, tokens need to be issued, and users need to be trained; a process that can take years. If we hope to keep our records safe this process needs to start soon.