The Need for Multifactor Authentication for Higher Ed

Colleges and universities service a diverse group of information technology customers. Those customers generally fall into three distinct groups composed of faculty, staff, and students. Because of the nature of the services these institutions provide, they are held accountable in meeting requirements associated with a variety of laws, regulations, and standards.

As a consequence, security and privacy, particularly as it relates to their custodial responsibility for the data they use and store, should be of paramount concern. Below is a brief list that helps identify an institution’s responsibilities:

• HIPAA. This federal legislation focuses on privacy requirements associated with electronic health records (EHRs). It is applicable given the fact that educational institutions commonly offer students access to on-campus health services. Those services are akin to what you would receive at a typical medical facility.
• Hitech Act. This federal act complements HIPAA by encouraging healthcare providers to adopt EHRs, and improve privacy and security protections for healthcare data. This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules.
• Family Educational Rights and Privacy Act (FERPA). This federal law protects the privacy of student education records. It applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The term “records” is extremely broad in scope, and includes financial data such as that relating to student financial aid and loans.
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). These California laws in their combined nature provide California consumers with broad rights relative to the maintenance of privacy by businesses. The CPRA goes into effect on Jan. 1, 2023. While it is likely many academic institutions will not face financial exposure because of their non-profit status, potential monetary exposure may exist for their contractors.
• PCI DSS. The Payment Card Industry Data Security Standard is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions, and protect cardholders against misuse of their personal information.

Unlike most businesses, colleges and universities have little control over who can access their computer networks. The California community college system has an open enrollment policy. This means, for example, that someone recently convicted of committing a computer-related crime could not be denied admission.

With admission, the process of providing network account access is generally automatic. Access becomes of obvious importance in situations where classes are designed to utilize learning management systems and other applications.

Given limitations on who is allowed on the network, Identity and Access Management (IAM) controls are of utmost importance. Academic institutions are, more often than not, slow to adapt and adopt changes in technology. Principles like academic freedom and tenured faculty resistance to change are in play when it comes to relatively simple changes.

A great example relates to an institution’s decision to implement multifactor authentication (MFA) as a defensive effort designed to mitigate the potential of a ransomware attack. For a typical business to make this decision would be a relatively simple process. That isn’t true for colleges and universities—every decision must be made in a collaborative manner, requiring the involvement of representatives of management, staff, faculty, and the students.

5 Schools, 5 Different User Authentication Systems

During this calendar year I’ve taught at five different academic institutions. The process for user authentication is different at each of them. One college continues to only require single-factor authentication (username and password). Two utilize an SMS transmission of a six-digit number to a mobile phone. However, at one of the colleges, their users have the ability to disable two-factor authentication, a practice common for those viewing this additional activity as burdensome. The other two utilize an authenticator application installed on a mobile phone.

One college where I taught for 18 years was hit by a devastating ransomware attack last year. Based on information I have been told, this attack would likely not have occurred if quality MFA was in place. My understanding is two-factor authentication for access to some of its critical services and resources is now in place, but that isn’t true for email service unless the user sets it up, according to its website.

Lawsuit Damages Could Be Worse Than Ransomware Payments

The importance of MFA implementation is heightened by another potentially devastating financial effect—that of legal action. For instance, Napa Valley College was hit with a ransomware attack last month. Of special interest in this case is that an article disclosing the attack is on a practicing attorney’s website.

It is reasonable, in my opinion, to conclude the placement was designed to serve as an advertisement for potential clients in a yet-to-be-filed class action lawsuit. Utilization of class action lawsuits is becoming a common reality in response to ransomware attacks, as evidenced by researching sites like Top Class Actions.