Why Health Practitioners Should Care About Two-Step Verification

By now, we’ve probably all received suspicious emails and text messages. 

The kind that say things like:

“Click here to claim your free 365 day all-expense paid trip to the mediterranean!!!” 

“URGENT: IRS WILL GARNISH YOUR WAGES IF YOU DON’T CLICK HERE TO RESOLVE YOUR TAX ISSUE.”

Historically, these scams have been easy to spot. Their tells: too good to be true offers, urgent and threatening instructions, or messages riddled with typos and incoherent sentences. 

Why we all need two-step verification

Today, hackers are becoming increasingly clever with their tactics, using social engineering to introduce a convincing human element to their messaging. 

Before undergoing the extensive mandatory cybersecurity training for all SimplePractice employees, I had been reluctant to add the extra step of enabling two-factor authorization to better secure my personal Instagram and online banking.

Waiting for a text code on my phone, in addition to remembering my passcode, seemed like a cumbersome and unnecessary hurdle to access common software I used daily. 

Plus, I thought, who would want to hack me? 

Surely, there must be much bigger virtual fish to catch. 

After completing the required SimplePractice security training, it became increasingly apparent that—while no one is exempt from a data breach—cyber attacks can have a much more widespread and damaging impact for those in the healthcare industry.

However, opting for a more robust login method, like two-step verification, can be effective in thwarting the majority of common cybersecurity threats. 

For these reasons and many more that I’ll share below, SimplePractice has introduced a two-step verification feature to further secure and protect all customer accounts. 

This means that behavioral therapists, counselors, social workers, speech-language pathologists (SLPs), physical therapists (PTs), occupational therapists (OTs), clinical billers,  administrators, and all healthcare professionals using SimplePractice now have easy access to this important security feature.

Costly ramifications of healthcare data breaches 

According to a report issued by IBM, 2023 was the 13th consecutive year that the cost of data breaches in the healthcare industry had the highest cost of any industry, with an average cost of nearly $11 million. 

The same report identified phishing and stolen or compromised credentials as the most common reasons for a data breach. 

Microsoft reported that implementing multi-factor authentication reduces an organization’s cybersecurity risk by 99.9%.

Microsoft reported that implementing multi-factor authentication reduces an organization’s cybersecurity risk by 99.9%. 

Even more than the financial ramifications of a data breach, the costs for a healthcare provider’s or entity’s clients, along with their professional credibility and legal standing, can be detrimental.

HIPAA violations are subject to fines, and violators must notify those impacted—and, in cases affecting more than 500 people, they must notify a public news outlet. Plus, violators could even face civil or criminal legal proceedings. 

To protect clients, healthcare providers, and medical institutions from data breaches, it’s recommended to implement two-step verification. 

Authentication methods used to verify identity

Two-step verification is a form of multi-factor authentication (MFA) whereby login credentials are verified by more than one method of authentication. 

Instead of relying on single authentication login methods, like a pin or password, two-step verification requires the use of an additional method of verifying your identity. 

There are three ways of verifying your identity when logging in: 

1. Knowledge factors (something you know, like a pin or password).
2. Possession factors (something you have, like a code sent to your phone).
3. Inherence factors (physical details that prove who you are, like facial recognition or fingerprints). 

When you use a combination of two or more of these forms of verification, you’re increasing the security of your accounts and data. 

How to enable two-step verification on your SimplePractice account

Securing your clients’ records starts with securing your login credentials. 

It’s fast and easy to enable two-step verification in your SimplePractice account: 

1. First, go to your Settings > Profile & Security > Personal > SimplePractice security > Manage. 
2. Next, you’ll have the option of selecting a second verification method: either by using unique text codes, or a QR code and authentication app. 

3 security mistakes that caused major healthcare breaches

The financial, professional, and clinical risks associated with insecure electronic record keeping are innumerable. The use of two-factor verification almost certainly could have prevented the following hacks:

1. Credential misuse

In January 2023, a data-security breach involving an employee’s unauthorized access of patient records was reported at the DCH Health System in Tuscaloosa, Alabama. 

According to Reuters, the health system notified approximately 2,530 individuals that the employee may have “accessed and viewed information” for reasons that were not permitted by HIPAA’s “necessary use” clause. 

It is unclear whether this employee accessed patient information using their own login credentials, or a colleague’s; however, the verification of identity when accessing protected health information (PHI) is critical to complying with HIPAA. 

Many healthcare entities that use electronic health record (EHR) systems limit account access to their employees to prevent them from accessing documentation unrelated to their job duties. 

Even if access can’t be completely customized based on the employee’s duties, their activity can be accurately tracked if accessing their account with their own login credentials—thereby hastening the identification of the data breach culprit. 

However, none of these technical safeguards are relevant if the employee uses a colleague’s login credentials to access PHI. The use of two-factor authentication could effectively prevent employees from accessing PHI by using the login credentials of a colleague, in addition to ensuring that the account activity tracked on an EHR is accurate. 

2. Falling for a phishing attack

Phishing attacks are emails designed to entice victims into granting hackers access to their personal information. 

For example, phishing could be an email that appears to be from Amazon instructing you to click a login link to prevent your account from getting deactivated, but upon further inspection, you find the sender doesn’t have an Amazon email address. In this example, the hacker is attempting to trick you into sharing your Amazon login credentials through a fake Amazon page. 

According to a 2023 report by ProofPoint, 84% of organizations faced at least one successful phishing attack, and 44% of working adults thought emails containing familiar branding were safe. 

ProofPoint monitored the frequency of brand abuse, a social engineering tactic where hackers include branded content in their message to impersonate a familiar brand. With nearly 50 million instances of brand abuse reported among the most frequently impersonated brands—including Microsoft and Amazon—hackers have identified and continue to exploit common vulnerabilities in their victims’ online activity. 

An employee at Atrium Health in Charlotte, North Carolina, shared their login credentials in response to a phishing email sent by hackers, in an attempt to gain access to personally identifiable information (PII), which includes PHI. 

The employee of Atrium Health compromised the security of the entire organization by supplying the hacker with their login credentials, affecting 6,695 patients. 

Had Atrium Health required two-step verification, the hacker wouldn’t be able to access the employee’s account without additional information that verified their identity. 

In addition to enabling two-step verification, here are additional steps you can take to ensure secure HIPAA-compliant client messaging. 

3. Reusing passwords, making it easy for hackers to guess them

The process of guessing login credentials is called credential stuffing, or password spray, which is now more prevalent than ever. 

Telesign, a cybersecurity company, commissioned research that found 54% of people use five or less passwords for all their online accounts and 73% of all online accounts use duplicated passwords. Without unique and secure passwords, compromised credentials can be used to access multiple accounts. 

In an interview with Lifewire, Baber Amin, COO of digital identity experts, Veridium, explains that “leaked credentials don’t just compromise existing accounts[because] hackers now use them with AI-based analytical tools to identify patterns of how an individual creates passwords.”

In February 2023, CBS News reported that United Healthcare was the victim of “credential stuffing,” wherein a hacker guessed the login credentials for several members and accessed their accounts. 

Rather than solely relying on a username and password, which can be easily compromised, two-step verification further bolsters the security of an account by using other methods of identification. 

The importance of HIPAA and HITECH 

Clients’ and patients’ private health information was first protected nationwide in 1996 when the Health Insurance Portability and Accountability Act (HIPAA) became a federal law. 

HIPAA dictates how health care providers and covered entities use PHI to facilitate patient care without compromising the security of this highly sensitive information.

Here’s more information on what it means for behavioral health practitioners to be HIPAA-compliant.

Thirteen years after HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced—addressing the challenges of assuring privacy in the midst of significant technological advances in healthcare. HITECH extended HIPAA protections to electronic records. 

Although neither HIPAA nor HITECH mandate the use of MFA in safeguarding PHI, the Security Rule dictates that HIPAA-covered entities must verify and track the identities of all users on their systems to ensure authorized access to health records.

In the context of electronic health records, multi-factor authorization is the most secure method of verifying a user’s unique identity, when accessing ePHI. 

In 2020, the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) published an audit that revealed most health workers and covered entities didn’t adequately safeguard PHI. The report identified strengthening authentication methods and verifying a user’s identity to be crucial in maintaining technical safeguards.

How SimplePractice helps practitioners ensure information security 

SimplePractice is committed to providing practitioners with HIPAA-compliant features to help ensure data security. 

Now, you can take the next step in ensuring your clients’ data security by setting-up two-step verification in your SimplePractice account. 

You can also take our comprehensive continuing education courses on HIPAA compliance. We’ve created an introductory HIPAA Compliance Course for Solo and Group Practices, as well as an Ongoing HIPAA Compliance Course—to bolster your practice’s security protocols. 

SimplePractice is HITRUST certified, which is the gold standard of security certifications in the healthcare industry. Learn more about all the ways we keep customer and client data safe on our security page.

SimplePractice provides HIPAA-compliant practice management and EHR features

SimplePractice practice management software is an EHR system with built-in online security features including HIPAA-compliant Secure Messaging. 

With SimplePractice, it’s easy to securely communicate with your clients and team members.

Try SimplePractice free for 30 days. No credit card required.

READ NEXT: The Key to HIPAA-Compliant Email for Therapists