Two-factor authentication – using a second identifier beyond a password to access data, be it a smartphone text code, retinal scan, fingerprint, DNA sample or other pound of flesh — has been discussed as a mandate in meaningful use for years, the latest in 2013 as federal advisory committees mulled their wish lists for stage 3.
Forget what the government says: For providers using cloud health IT services, especially public cloud providers such as Amazon Web Services (AWS), it’s time to enable two-factor authentication, now.
Why the hurry? A recent story, posted on SearchSecurity, our sister site, tells a tale of Code Spaces, a company driven out of business when a hacker launched a distributed denial-of-service attack and on top of that, gained control of its AWS control panel login credentials. The hacker, trying to ransom the company in return for stopping the attack, began destroying data when Code Spaces didn’t cooperate.
The lesson of the story? With two-factor authentication, the hacker would have had a much more difficult — if not impossible — time taking control of the dashboard, sources said, and the company would still be in business.
Multifactor authentication, it turns out, has an outdated reputation of being a lot more inconvenient than it is today, because earlier versions were more difficult and cumbersome. Today’s multifactor authentications are cheaper and less painful than, for example, RSA security tokens of yore.
We know that in healthcare, organizations typically spend less on IT than their counterparts in market sectors such as finance and education. But we also know that cloud vendor utilization is on the rise in healthcare, and that data breaches can cause headaches that diminish patient trust and cause fines with federal and state health privacy and consumer protection authorities.
So forget what a future edition of meaningful use may or may not require; if your shop is using a cloud provider for storage, applications or both, protect your data with a multifactor authentication system. Today. That, or risk being the next Code Spaces.