Multi-Factor Authentication for Secured Access Control to Electronic Health Records in South African Public Hospitals (Preprint)

Abstract

In this rapidly advancing digital landscape, the security of Electronic Health Records (EHRs) is increasingly dependent on robust authentication and access control measures. Despite advancements in cybersecurity, South African public hospitals are particularly vulnerable and targeted by cyber-attacks and data breaches due to vulnerabilities associated with username and password-based authentication. These vulnerabilities pose substantial risks to the security and privacy of EHRs and cause huge disruptions to public hospitals.

With the potential to cause widespread disruption and harm, this study aims to propose a framework for integrating Multi-Factor Authentication (MFA) to enhance to user authentication and access control to EHRs in South African public hospitals.

A qualitative research design was employed to understand security vulnerabilities and risks in password authentication within public hospitals. The study conducted semi-structured interviews with 15 purposively selected IT technicians, network controllers, and IT managers working in public hospitals. All interviews were audio-recorded, transcribed verbatim, and analyzed using thematic analysis and NVivo version 12. The study applied a conceptual framework grounded in Protection Motivation Theory.

The analysis revealed that public hospitals experienced authentication vulnerabilities such as username enumeration, broken authentication, weak credentials, and credential leakage. Phishing, cryptojacking, ransomware, and password attacks were among the security incidents encountered in public hospitals. Participants expressed that security vulnerabilities in hospitals are due to weak and easily guessable passwords created by staff, the reuse of the same password across multiple systems, irregular password updates, reliance on legacy systems, writing down passwords on paper, and the lack of regular updates to Windows Firewall and Microsoft Defender Antivirus.

The study emphasizes the need for developing robust password policies, modernizing legacy systems, and promoting cybersecurity awareness training in public hospitals. Furthermore, the study suggested a framework for public hospitals to effectively address authentication vulnerabilities. and reinforcing data security. The research underscores that, despite the ongoing vulnerabilities and weaknesses of password and username-based authentication, the study concludes that the integration of MFA offers a scalable solution to significantly improve the security and access control of EHRs in public hospitals.