Medical identity theft: would the antidote be MFA?

Healthcare organizations are a prime target for cyber criminals. Everywhere in the world, private and public institutions need to protect sensitive information about millions of patients. This includes personal data such as date of birth, address, social security number, billing information and, of course, medical records. All of those can be used for a huge number of fraudulent actions. Identity-theft and data privacy expert Carrie Kerskie affirms “Medical identity theft is the deadliest form of identity theft”.

In the past few years, organizations have had a hard time defending their network perimeter and keeping cybercriminals at bay. The problem is, login credentials are easily compromised and this represents one of the most dangerous threat to a healthcare institution. Detecting those attacks is a challenge. Once the attacker stole a set of credentials, they are then logging in with stolen but valid credentials. From that moment, no security tool will detect anything unusual because they consider that whoever is logging in is who they say they are.

This is where multi-factor authentication (MFA) is needed. It constitutes one of the most reliable controls to stop unauthorized access. If MFA is not in place, cyber criminals can easily bypass all of your other security measures. Unfortunately, despite knowing the risk, many healthcare organizations still don’t take password security seriously enough. What’s holding them back?

Why are healthcare organizations reluctant towards adopting MFA?

Here are 4 misconceptions about MFA:

  1. “My organization is too small to use MFA”

This is 100% wrong. The data to protect is as important in your organizations as it is in any other big healthcare organization. Every healthcare institution, no matter the size, should use MFA to protect their network and the sensitive data within. MFA can be adapted to smaller institutions.

  1. “I don’t need MFA because I don’t have any privileged users”

This is wrong again. Especially in the healthcare industry, every user should be protected by MFA. Your “regular” users have access to more than enough data that, if used inappropriately, might harm your institution. Let’s take an example: a nurse decides to sell a celebrity patient’s data to a journalist. This demonstrate the value of the data and the damage that can be done.

But that’s not the only reason why every user should be protected. The majority of hackers don’t start with a privileged account. They usually start with an “easy” target. Once they gain access to the network, they move laterally to find important data.


  1. “MFA isn’t perfect”

“Perfect” doesn’t exist, especially not in IT security. But, MFA is close. Recently, some attacks where MFA had been bypassed were highlighted by the FBI. Two main authenticator vulnerabilities were found: ‘Channel Jacking’, involving taking over the communication channel that is used for the authenticator ⁠and ‘Real-Time Phishing’, ⁠using a machine-in-the-middle that intercepts and replays authentication messages. Professionals agree that these attacks require a significant investment in time and money. Most of the time, hackers who come across MFA will immediately change to an easier target.

Despite those recent events, the FBI maintains that MFA is very effective.

  1. “Implementing MFA means disrupting employee’s productivity”

This doesn’t have to be true. For healthcare organizations, disruption is a challenge. Implementing a new technology needs to be smooth, quick and not disrupting. This is the reason why MFA needs flexibility and customization. To get this, you can use MFA in conjunction with contextual controls to further verify users’ identity. In other terms, you use environment information to improve identity assurance without disrupting productivity.

Without MFA, healthcare organizations are wide open to attack. It should be a key security measure for any institution within the healthcare industry, and could be one of the easiest ways to keep data breaches away.