[Transcript] Episode 440: MFA Made Easy with Google Authenticator

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech. 

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 440: MFA (Multi-fFactor Authentication) Made Easy with Google Authenticator.

 

Liath Dalton 

Indeed. And multi factor authentication is something that has great utility in terms of shoring up your security, and is actually something that is a required measure to implement anywhere that it is possible to implement it, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So basically, if you have HIPAA security policies and procedures that govern your systems use for systems that contain client info, one component of the policy requirements will be that multi factor authentication is enabled and required.

 

Liath Dalton 

Now you know, Evan, do you want to share a little bit about what the actual benefits of multi factor authentication are, before getting into the nitty gritty of why Google Authenticator just makes it so much easier and better?

 

Evan Dumas 

Yeah, totally. So back when passwords first became a thing, all you needed to do to log into sites was sort of know your username and password. Now, that was hard back in the day, because you had to memorize two bits of information, both your username and your password. But for anyone who had those two pieces of info, they could get into your account. And so that’s called single factor. You have one factor, and it’s the combo of those two things.

 

Evan Dumas 

Now, the beauty of multi factor authentication, which thankfully has been gaining in popularity for the last 10 years, is having almost two separate devices or two different ways to log in. So you have the username and password combo, and then it has some secondary factor, that’s usually on another device or another means, that says, hey, is this really you? And so, you know, you log in on your computer and your cell phone gets pinged with a little code, and so you type that code in, because you are someone who has both access to the computer and the phone. And the benefits of this is that, back in the day, should your computer get taken, should one item be taken and it was just your username and password, boom, anyone could have access. But the chances that both are taken and you have access to all of these things is a lot less. So by adding these extra factors, you really create a lot more sense of security and a lot more difficulty for people to access your accounts.

 

Liath Dalton 

That sounds very great and like something we all want, need to have in place. And one, one thing that we’ve always talked about in the context of multi factor authentication, are the sort of different flavors of factors, right? The password is something you know, a device that is recognized is something that you have. And thensometimes, if you’re using biometrics, that’s something that you are, right? And so having that combination of factors is what makes things so much stronger. And the Google Authenticator app specifically relates basically to the “something that you have” feature. So tell us what it is, Evan, and how it works.

 

Evan Dumas 

Yeah, Google Authenticator is pretty sweet. So the way all of you know that two factorauthentication worked in the past was, you’d log in and you’d get a text message. Text messages are also known as SMS, that stands for Short Message Service, and sure you type in the code.

 

Evan Dumas 

Google Authenticator is better for a few reasons. It is an app on your phone, and whenyou open it up and sync it with the service that has two factor, it gives you these, the set of digits that sort of repeat every 30 seconds and get a new set, that are just tied to you so you don’t have to get a text message. And why is this good?

 

Evan Dumas 

Because Short Message Service text messages can be monitored or intercepted, or hackers can trick carriers into switching phone numbers to other devices so they can get yours so they’re very, more easily accessed. So someone somewhere could say, Oh yeah, I’m you. I’ll get that text, or I’ll see what the text is, and then log in as you and you don’t want that.

 

Evan Dumas 

But Google Authenticator is an app purely just on your phone, can’t be copied put on another device. It’s called a one time password. We don’t need to get into that. The best thing is, you’re not getting random texts, and you don’t have to wait for the text to come in, etc. You can just open up the app look at the numbers, granted, you have 30 seconds to type them in. So sometimes you’re like, oh, it’s going to expire halfway through, I’m going to wait for the next batch. And then you type in the six digits.

 

Evan Dumas 

And more and more services are using this. I use it on my phone. My bank has a login, my mail has a login, and all of these things have the little six digit codes. So whenever it pings me and says, Hey, are you really you, all I have to do is open up Google Authenticator, and it’s got all the codes right there. There’s no text, there’s no pop ups or anything like that. It’s all locked into my phone. Which is which is really nice and secure. Oh, one more last thing about the security of it being within my phone.

 

Liath Dalton 

Mhm.

 

Evan Dumas 

Sometimes when you get a two factor text and then it pops up on your screen and everyone can see it, or it pops up on any shared device. So that’s not as secure as having to unlock your device and open up an app, which is it’s the best.

 

Liath Dalton 

Exactly. And one of the other great benefits of it is, like Evan said, you can use the Google Authenticator with pretty much any service that supports two factor authentication. And increasingly, various service providers are specifically configuring their MFA settings to support use with Google Authenticator.

 

Liath Dalton 

And so, for example, you want to be using it for your practice management system, because that’s a system that is containing the highest level of sensitivity for for PHI, and want to have every possible safeguard in place to secure and protect it. So for example, Therapy Notes, is one such EHR that can be used with Google Authenticator.

 

Liath Dalton 

Now, a question that we have gotten related to Google Authenticator, though, is, well, this is obviously providing a key piece of security functionality. Is it HIPAA friendly, right? And are there particular HIPAA considerations around using it?

 

Evan Dumas 

Yeah, I can speak to that for sure. So password management, and I guess security code management like this, is generally very, very HIPAA friendly, because it’s not handling PHI. And in an extra way, Google Authenticator, especially if you use Google Workspace with your account, you can tie it to your Google Workspace account like you log in as that. Now also really, really sweet thing about this, you don’t have to have Google account to use Google Authenticator. It is an app that just works with theother services you have, so you don’t even need to be in sort of the Google world. But this service and password management services totally HIPAA friendly, because they make you securing your logins, et cetera, that much more easy, manageable, team friendly, etc. And so in this case, yeah, you don’t have to worry about PHI or get a BAA with it, and it’s wonderfully HIPAA friendly.

 

Liath Dalton 

And so then what follows from that is, as with everything, is, are you using it appropriately? And the usage guidance then, for having Google Authenticator be part of the security measures that your practice leverages is going to be that any devices that the Google Authenticator is installed on should be secured devices. You want them to be hardened, and have gone through the process of putting the technical security measures in place that make that device safe for handling PHI and accessing systems that contain PHI.

 

Liath Dalton 

So nothing additional required beyond what already should be in place on practice owned or personally owned devices. And like Evan said, for those of you who are using Google Workspace, the Authenticator app can be tied to your and your staff’s individual Google Workspace user accounts, right? But if you are not utilizing Google Workspace, you can still use the Google Authenticator app for bolstering your security,for managing login credentials, and not have any need to get a BAA or sign up for Google Workspace in order to do it. So this is basically a useful tool that applies to every practitioner and provides great benefit, both for practice and PHI security, as well as personal security right?

 

Evan Dumas 

Mhm.

 

Evan Dumas 

Totally.

 

Liath Dalton 

And now, Evan, if someone asked, should I, do I need to set up different Google Authenticator app accounts for personal and practice work? What, what guidance would you give them on that?

 

Evan Dumas 

Oh, no, not at all. You can def, like, because no one else has access to it, but you you can use it for a variety of services, work and personal, and there’s no way that anything will swap between said services, because you’re just using it for that login security. So by all means, use it. Also, you can only really have one instance of the appon your machine anyways, it works on both iOS and Android devices, so yeah, just stick with one.

 

Liath Dalton 

Exactly. And so what we would really recommend is that if this isn’t something that you’re currently utilizing in your practice, that you adopt it, and that maybe one of the security reminder items for the month, or action items for the month for your team is to direct folks to start utilizing the Google Authenticator app and also use it as an opportunity to go through each of your practice’s systems like your EHR and Google Workspace and your VoIP service, anything that contains client info, and making sure that if the service supports two factor authentication, that two factor authentication isenabled and ideally required.

 

Liath Dalton 

So this can just be sort of a an opportunity, or a prompt, to make sure those ducks are in a row and that you’ve taken this good security step for your practice and for your team. And it’s not time consuming or onerous, but really does have tremendous benefit, so definitely make use of it.

 

Evan Dumas 

Yeah, totally.

 

Liath Dalton 

Thanks for listening, and we hope you found this helpful. We’ll chat to you good folks next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.