Protecting vulnerable clients’ data has never been more important, as cybersecurity attacks have proliferated and become increasingly easy to perform. What should health and human service organizations do to increase their security? We have one suggestion: look for case management software that supports 2-step verification.
Data breaches and other cyber attacks are real threats that affect not only governments and banks but also everyday people, illustrated by an ongoing database of healthcare data breaches that affect thousands of individuals. Even social services and behavioral health can be targets for ransomware.
In case management software, robust security measures are becoming more and more necessary to protect the confidentiality and data of social service clients. That’s why we’ll guide you through one of the most fundamental features of added data security that’s becoming more widely adopted: 2-step verification (2SV).
Case Management Requires Advanced Authentication Now
Case management software is designed to help social service and healthcare organizations manage and track client information. This involves a lot of sensitive data, including:
- Personally identifiable information (PII): This includes names, addresses, Social Security numbers (SSNs), and contact information. Unauthorized access to PII could lead to identity theft, which of course would be even more devastating to clients experiencing domestic violence, homelessness, or refugee status in a new country. (It’s worth noting that refugees face an even harder time than most navigating the bureaucracy of government and social services.)
- Health records: For communities that share data between social service and healthcare providers within the Continuum of Care program, a failure to protect health information (i.e. diagnoses, prescriptions, treatment notes) could be devastating to a homeless client if their data is tampered with in any way.
- Financial information: Most case management won’t store banking information per se, but it often will store details like earned income, alimony or spousal support, disability compensation, Worker’s Compensation, or Social Security Disability Insurance. Any of this info could be used for phishing attempts or other forms of fraud.
- Case notes and documents: Health and human services stand at the nexus between legal, family, medical, and other health issues. Exposure of a client’s sensitive information could result in serious personal harm.
Why 2-Step Verification Is Necessary
Passwords are not enough to protect us from cyber threats. There are about 1,000 password-hacking attempts every second, often done in what are known as “brute force” attacks, where malicious actors try combinations of random passwords until they find the right one. There are more sophisticated methods, like phishing, where scammers will attempt to get sensitive information from you with many methods, including phone calls imitating your bank, or emails appearing to give you a legitimate link where you enter your password, and so on.
In other words, it’s easier than it used to be for cyber criminals to get your login credentials.
2SV helps prevent these phishing attempts from taking hold because it adds another step, another layer of security, to log in. Using an authenticator app instead of a 6-digit text code is also more secure because of SIM swapping, a practice where malicious actors can spoof your text messages to find that SMS text code.
How 2-Step Verification Protects Client Data
2-step verification protects client data because it helps verify the identity of a user when they try to sign in to a system. Multi-factor authentication (MFA), a broader term, is sometimes used interchangeably with 2-factor authentication (2FA) and 2-step verification (2SV). While there are some nuanced differences between the three terms, for our purposes we’ll stick with 2SV.
2SV works this way in ClientTrack:
- The user signs in with their username and password. This is considered a “knowledge” identifier, as no one else should have the user’s login info.
- The user is prompted by the system for a verification code from an authenticator app, like Authy or Google Authenticator. This is considered a “possession” identifier, as no one else should have access to the specific device upon which the linked authenticator app rests.
- The user enters the code (also called a Time-Based One-Time Password, or TOTP) from the authenticator app.
It’s worth noting that 2SV functions differently in other systems, as there are multiple kinds of authentication factors:
- Knowledge-based (often the first factor), like a password or PIN;
- Possession-based (often the second factor), like a smartphone or USB key; and,
- Identity-based (often a second or third factor), like a fingerprint or face recognition.
Some applications offer single sign-on (SSO) so an external identity provider (i.e., Google, Microsoft, Facebook) can be used for logging in, and many of those identity providers offer multiple authentication factors for the many reasons already described in this article.
ClientTrack users, for example, can use 2SV for SSO if their organization enables optional SSO.
Embracing a Culture of Cybersecurity
Cybersecurity measures can be a little inconvenient compared to the early days of software use and online accounts. But consider the outsized costs of a data breach against the minor additional steps to verifying your identity when handling sensitive client information.
“Trust, but verify” started as a political phrase during the waning years of the Cold War, but now it’s shared as a mantra among the armed services, cybersecurity experts, and acclaimed journalists alike. And as the tech landscape becomes more advanced and complex, embracing a culture of cybersecurity can only help in the fight to secure client data from bad actors.
That’s why ClientTrack has developed 2-step verification for all case management environments. If your organization’s current case management system lacks this essential feature, our experts are ready to help you understand the benefits of ClientTrack when you schedule a demo.