To enhance security, Google is making multi-factor authentication mandatory on all Cloud accounts by the end of 2025. The company said Monday that it would also send advanced notifications to enterprises and help plan their MFA deployments.

"We've seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience," Mayank Upadhyay, Google Cloud vice president of engineering, wrote on the company's blog. 

WHY IT MATTERS

While MFA general consumer Google accounts will remain encouraged, the mandate is only for all business and enterprise admin and user accounts, according to Upadhyay's explanation about why the move to MFA is so critical.

"This shift is backed by strong evidence both from our own experience and from U.S. government agencies," he wrote in the blog. 

"The Cybersecurity and Infrastructure Security Agency found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch."

Of note, earlier this month, the company made several new artificial intelligence-enhanced features available to healthcare customers to accelerate their digital transformation. 

Google released new tools on Healthcare Data Engine, used to advance use of generative AI to improve operations and enhance patient care, and launched Vertex AI Search for Healthcare, which the company said in a statement can help developers build better administrative tools for healthcare workers. 

AI systems can attract adversarial attacks that could manipulate medical decision-making. At a time when CISA, U.S. Health and Human Services and other agencies are leveraging regulatory tools to protect the whole critical healthcare sector from frequent attacks of epidemic proportions, it's logical for cloud companies like Google to gate their products with secure-by-design approaches that can help prevent cyberattack disruptions. 

The MFA mandate will be phased but has already begun. According to Upadhyay, users will start to see "helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing and smoothly enable MFA for your users." 

By early next year, all new and existing users who sign in with a password will be required to make the switch to Google's two-step verification. Then, later in 2025, all Google Cloud federated users will be required to meet the standard. Upadhyay said in the blog the company will offer several options for them.

"For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off," he explained. 

"Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system."

THE LARGER TREND

Many healthcare organizations manage applications and infrastructure in the cloud, but also behind remote desktop protocols, which they can use to connect users to cloud servers. 

Pledging to rebuild Change with cloud-based security, UnitedHealthGroup CEO Andrew Witty told members of Congress in May that legacy systems were blamed for the duration of the February ransomware take-down of nationwide payment processing subsidiary Change Healthcare.

But he also said in his written testimony that the hackers' pathway to Change's troves of protected health information on February 12 began at a desktop remote access portal that did not have MFA turned on.

"The portal did not have multi-factor authentication," he said. 

"Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

ON THE RECORD

"We’ve been strong advocates for our MFA system for over a decade, and we're here to help you with this important security upgrade," Upadhyay said in the blog announcement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.