November 8, 2018

Multi-factor authentication coming for C2HR users

Like employees the world over, Vanderbilt University Medical Center email system users are prey to frequent email spoofs, by which would-be identity thieves attempt to steal employee login credentials.

Like employees the world over, Vanderbilt University Medical Center email system users are prey to frequent email scams, by which would-be identity thieves attempt to steal employee login credentials.

When a phishing attack on an employee succeeds, the hacker might go first to the human resources system to get the employee’s bank account information (on file to allow automatic deposit of paychecks) and Social Security number.

To thwart this access, VUMC Enterprise Cybersecurity is instituting multi-factor authentication (MFA) for online access to sensitive account information held by Human Resources. Effective Nov. 19, MFA will be required when C2HR users attempt to access their direct deposit information, tax information or personal profile.

System users with mobile phones can choose to receive multi-factor authentication codes via a smartphone app or SMS text message. Find a link to the MFA mobile app on the Enterprise Cybersecurity website.

For users who lack a mobile phone, a so-called “hard token,” a pocket-sized device with a digital readout for display of authentication codes, is available upon request from Enterprise Cybersecurity. To request a hard token, visit the website at https://www.vumc.org/enterprisecybersecurity/mfa.

According to Andrew Hutchinson, executive director of Enterprise Cybersecurity, in the coming months additional VUMC systems will begin to require this form of user authentication.

“We’re beginning the switch to broad use of multi-factor authentication as an important new safeguard for our employees and our enterprise. Security attacks are unrelenting, and we view MFA as a vital and necessary addition to VUMC’s enterprise cybersecurity program,” Hutchinson said.

Beginning Nov. 19 C2HR users who are seeking access to sensitive account information will be directed to automated assistance for setting up multi-factor authentication on their mobile phone.

VUMC Enterprise Cybersecurity is providing enrollment assistance at locations across VUMC. For more information, visit the Enterprise Cybersecurity website at https://www.vumc.org/enterprisecybersecurity/.

MFA is already in effect at VUMC for electronic prescribing of controlled substances.