Google is setting a mandatory MFA deadline for all cloud accounts

To improve security, Google will require multi-factor authentication on all Cloud accounts by the end of 2025. The company said Monday it would also send advanced notifications to companies and help plan their MFA implementations.

“We’ve seen firsthand how it improves security without sacrificing a smooth and convenient online experience,” Mayank Upadhyay, Google Cloud’s vice president of engineering, wrote on the company’s blog.

WHY IT’S IMPORTANT

While MFA Google accounts will continue to be encouraged for general consumers, the mandate only applies to all business and enterprise administrator and user accounts, according to Upadhyay’s explanation of why the move to MFA is so crucial.

“This shift is supported by strong evidence, both from our own experience and from US government agencies,” he wrote in the paper blogging.

“The Cybersecurity and Infrastructure Security Agency found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch.”

Note that earlier this month, the company made several new AI-enhanced features available to healthcare customers to accelerate their digital transformation.

Google released new tools on Healthcare Data Engine, which are used to advance the use of generative AI to improve operations and improve patient care, and launched Vertex AI Search for Healthcare, which the company said in a statement can help developers build better administrative tools for healthcare professionals.

AI systems can attract hostile attacks that can manipulate medical decision-making. At a time when CISA, US Health and Human Services, and other agencies are using regulatory tools to protect the entire critical healthcare industry from frequent attacks of epidemic proportions, it makes sense for cloud companies like Google to provide their products with secure-by-design approaches. that can help prevent disruptions from cyber attacks.

The MFA mandate will be phased in, but has already started. According to Upadhyay, users will begin to see “helpful reminders and information in the Google Cloud console, including resources to increase awareness, plan your deployment, run tests, and smoothly enable MFA for your users.”

Early next year, all new and existing users who log in with a password will have to switch to Google’s two-step verification. Later in 2025, all federated users of Google Cloud will be required to comply with the standard. Upadhyay said in the blog that the company will offer various options for them.

“For example, you can enable MFA with your primary identity provider before accessing Google Cloud. We will work closely with identity providers to ensure standards are in place for a smooth transfer,” he explains.

“Alternatively, you can add an additional layer of MFA through your Google account if you prefer to use our system.”

THE BIG TREND

Many healthcare organizations manage applications and infrastructure in the cloud, as well as behind remote desktop protocols, which allow them to connect users to cloud servers.

UnitedHealthGroup CEO Andrew Witty pledged to rebuild Change with cloud-based security, telling members of Congress in May that older systems were blamed for the duration of February’s ransomware takedown of national payment processing subsidiary Change Healthcare.

But he also said it in his writing testimony that the hackers’ path to Change’s trove of protected health information began on February 12 on a desktop remote access portal that did not have MFA enabled.

“The portal did not have multi-factor authentication,” he said.

“Once the threat actor gained access, they moved laterally within the systems and exfiltrated data in more sophisticated ways. Ransomware was deployed nine days later.”

ON THE RECORD

“We have been strong proponents of our MFA system for over a decade and we are here to help you with this important security upgrade,” Upadhyay said in the blog announcement.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.