Estimated reading time: 8 minutes.
Passwords used to be enough. Not anymore. That's because cyberattacks are on the rise. According to the U.S. Department of Health and Human Services (HHS), the number of reported healthcare data breaches doubled between 2018 and 2024, affecting approximately 459 million people.
And regulators are taking notice. Proposed updates to the HIPAA Security Rule would require healthcare providers to use multi-factor authentication (MFA) when signing into accounts. That means now is the perfect time to get comfortable with it.
The good news? MFA is a simple and effective way to protect your practice and clients from a data breach, and it only takes a few minutes to set up.
TL;DR: Multi-factor authentication (MFA) protects your clients' data and helps your practice stay HIPAA compliant. With proposed Security Rule updates likely to make MFA mandatory, now is the ideal time to enable it.
Multi-factor authentication (MFA) means using more than one method to verify your identity when logging into an account.
Most of us are used to entering a username and a password. That's considered one-step or one-factor verification because you're using only one thing — something you know — to prove you're the account holder.
MFA, on the other hand, asks for more than one form of verification (usually two). That's why it's also called two-factor authentication or two-step verification.
With MFA, you combine something you know (like a password) with either:
| One-step authentication | Two-step authentication |
|---|---|
Something you know |
Something you know + something you have/are |
MFA is becoming more common every day, as banks and other service providers boost their online security. Typically, this involves verifying your identity with a password and a unique code sent to you by text or email.
You can also use apps like Duo Mobile or Google Authenticator to provide an extra layer of protection. Since these apps are downloaded directly to your phone, it's harder for someone else to access the code. They can also help block phishing attempts by checking how close you are to your device or adding another layer to the sign-in process.
These days, information stored online is more vulnerable than ever to cyberthreats. If you're only using one way to verify your identity, all it takes is one data leak for someone to get into your account.
Think of multi-factor authentication (MFA) as adding an extra lock to your digital door. When it's turned on, a hacker needs more than just your password (usually, information that's harder to get) to break in.
Using MFA gives you peace of mind, knowing you're protecting client information and lowering the risk of making a costly HIPAA mistake. Even if a password gets leaked, MFA adds a safety net that helps keep your practice compliant and your clients' information secure. It also shows you take privacy seriously, something HIPAA auditors may appreciate.
And don't think MFA is just for big organizations. Smaller practices are just as vulnerable.
In September 2024, for example, Dr. Doug's Pediatric Dentistry discovered suspicious email activity that exposed the data of 3,590 people. This is just one of over 1,000 healthcare providers that have experienced a breach affecting 500 or more individuals since September 2023.
Don't wait for something to go wrong before protecting your practice.
The HIPAA Security Rule requires covered entities to verify the identity of anyone trying to access electronic protected health information. However, it doesn't spell out exactly how to do that. So for now, MFA isn't officially required.
But that could change soon. With breaches affecting practices of all sizes, regulators are stepping in, with proposed updates to the rule recommending that MFA be made mandatory.
If this update becomes law, all healthcare providers will need to use MFA. Starting now puts you a step ahead and gives your practice extra protection in the meantime.
Although many companies have already adopted MFA, some are still dragging their feet. Why? They might be buying into a few common myths.
Some people think MFA is too complicated to set up and use.
But that’s just not true. You don’t need to be tech-savvy to set it up. It takes just a few minutes, and if you’ve ever received a code by text or email, you’ve already used MFA without even realizing it.
And once you're used to it, signing into your account is easy.
It does take a little longer to sign in using MFA. But those few minutes are worth the extra security you're getting.
And compared to the time and stress it takes to deal with a data breach, MFA is a breeze.
Losing your phone is definitely annoying, but it won't lock you or your employees (if you have them) out of important accounts.
Phone numbers can usually be transferred (ported) to a new device quickly and easily.
And whether you're using text messages or an app to verify your identity, there are always ways to recover your accounts. At Hushmail, for example, we provide a backup verification code just for situations like this. And our Customer Care team is there if you need it.
Worried someone might use your lost or stolen phone to access your accounts? Even with your phone, they would still only have one of the two factors needed to identify you. That's why MFA is so powerful.
At Hushmail, we're all about security, so we have two-step verification ready to go. It doesn't take long to turn it on. Here's how to do it:
At this point, the system will generate a backup verification code. Keep it safe. It can be used to access your Hushmail account if your phone is lost or you don't have access to your email.
When you sign in for the first time after switching to two-step verification, you'll be asked to have a verification code sent to you via one of your chosen methods. Once you enter the code, your device will be fully registered.
If you need help signing in to your Hushmail email after turning on two-step verification, our Customer Care team is ready to help.
Technology is evolving, and online threats are on the rise. Both regulators and healthcare professionals are adjusting to keep up with these new challenges.
Now, more than ever, it's crucial to protect your practice and the sensitive information clients share with you. Using secure, encrypted email and turning on two-factor authentication is the new normal. Plus, it's an easy and effective place to start.
Ready to take the next step in protecting your clients' information?