Multi-factor authentication (MFA) has been a cybersecurity best practice for years. Banks require it. Government agencies require it. Virtually every major SaaS platform offers it as a standard security feature. Yet across the healthcare industry, MFA adoption remains inconsistent at best, particularly among small and mid-sized practices where convenience and speed of access have historically taken priority over security controls. The proposed HIPAA Security Rule update changes this by making MFA a mandatory requirement for all access to systems containing electronic protected health information (ePHI).

For healthcare organizations that have already deployed MFA across their systems, this change formalizes a practice they already follow. For those that haven’t, the transition will require planning, investment, and a willingness to rethink workflows that have prioritized convenience for years.

In this article, we’ll examine what the proposed MFA requirement entails, where it will create the most friction, and how practices can prepare for a mandate that is long overdue.

What the Proposed Rule Requires

Under the proposed update to the HIPAA Security Rule, MFA moves from an addressable specification to a mandatory requirement. Every regulated entity, whether a covered entity or a business associate, will be required to implement MFA for all access points to systems containing ePHI. This applies to remote access, on-site access, cloud-hosted systems, and on-premise applications. There are no carve-outs based on practice size or organizational complexity.

The proposed rule does not prescribe a specific MFA technology. It requires that authentication involve at least two distinct factors, drawn from the standard categories: something the user knows (a password or PIN), something the user has (a physical token, smart card, or mobile device), or something the user is (a biometric identifier such as a fingerprint or facial recognition). The choice of implementation is left to the organization, but the requirement to deploy it is not. The proposed rule also ties MFA into broader access control requirements, including the mandate that terminated employees’ access to systems be revoked within one hour of separation and that new employees complete security training within 30 days of receiving access.

Why MFA Is Being Mandated Now

The short answer is that compromised credentials remain one of the most common entry points for healthcare data breaches. Phishing attacks that harvest usernames and passwords, credential stuffing attacks that exploit reused passwords across multiple platforms, and brute-force attacks against weak passwords all become significantly less effective when a second authentication factor is required. A stolen password alone is no longer enough to access a system if the attacker also needs a one-time code from the user’s phone or a biometric scan. The math is straightforward: MFA stops the majority of automated credential-based attacks before they begin.

OCR’s enforcement experience has reinforced this. Breach investigations consistently reveal that compromised user credentials were the initial point of entry, and that the affected organization had no MFA in place. The Change Healthcare ransomware attack in 2024, which disrupted claims processing across the entire U.S. healthcare system and exposed data on over 100 million individuals, was traced back to compromised credentials on a system lacking MFA. That single incident became one of the largest healthcare data breaches in history, and it was preventable with a control that would have cost a fraction of the damage it caused.

Where MFA Creates the Most Friction

The technical implementation of MFA is well understood. The challenge for healthcare organizations, particularly small practices, is operational. Clinical and administrative workflows in healthcare are designed around speed. Clinicians move between exam rooms and workstations throughout the day. Front desk staff constantly toggle between systems. Shared workstations are common in practices where multiple staff members access the same computer during a shift.

In these environments, MFA introduces friction at every login. If a clinician needs to authenticate with a password and a one-time code every time they sit down at a workstation, the cumulative time cost over the course of a day is meaningful. Multiply that across an entire practice, and the impact on productivity becomes a legitimate operational concern. Staff accustomed to quick-access workflows will resist changes that slow them down, and that resistance can undermine adoption if it isn’t addressed proactively.

The proposed rule also eliminates shared logins. Each user must have unique credentials, which means practices that have been using a single login for a shared front desk workstation or a communal tablet will need to provision individual accounts for every staff member who accesses ePHI. This is a foundational access control principle, but it represents a significant shift for practices where shared credentials have been the norm.

Choosing the Right MFA Approach

Not all MFA methods are created equal, and the right choice depends on your practice’s specific workflow requirements. The most common options include SMS-based one-time codes, authenticator apps, hardware tokens, smart cards, and biometric authentication. Each carries different trade-offs in terms of security, cost, and user experience.

SMS-based codes are the most familiar to users but are considered the least secure MFA option due to vulnerabilities like SIM swapping. Authenticator apps (such as Microsoft Authenticator or Google Authenticator) are more secure, free to deploy, and work on devices most staff already carry. Hardware tokens and smart cards offer strong security but add cost and logistics for managing physical devices. Biometric options, such as fingerprint readers on workstations or facial recognition, can significantly reduce friction in high-turnover environments like shared clinical workstations, though they require hardware investment.

For small practices looking to balance security, cost, and workflow impact, authenticator apps paired with single sign-on (SSO), where available, tend to offer the best return. SSO reduces the number of separate logins staff encounter throughout the day, while the authenticator app provides the second factor. For shared workstations, proximity-based solutions that authenticate a staff member when they are physically present can minimize disruption while maintaining compliance.

Preparing Your Team for the Transition

The technical deployment of MFA is only half the challenge (and believe it or not, it’s the easy half). The other half is getting your staff to accept and adopt it. If MFA is rolled out without context, staff will see it as an inconvenience imposed by regulations they don’t understand. If it’s rolled out with clear communication about why it matters, how it protects the practice, and what steps are being taken to minimize disruption, adoption goes significantly smoother.

Start by explaining the rationale in terms that staff can relate to. A compromised login can give an attacker full access to patient records, billing systems, and scheduling platforms. MFA makes stolen passwords useless on their own. Frame it as a protection for the practice, for patients, and for staff whose professional lives would be disrupted by a breach.

Run a pilot with a small group before a company-wide rollout. Let them surface the workflow issues, identify where friction is highest, and help shape the final implementation. Staff who participate in the pilot become internal advocates rather than reluctant adopters. Build in a buffer period where the help desk or IT contact is readily available to troubleshoot issues. Anticipate the most common problems: staff who forget their phone and can’t generate a code, authenticator apps that require re-enrollment after a device change, and clinicians who find the extra step frustrating during high-volume clinic hours. Having documented workarounds for these scenarios prevents small annoyances from becoming adoption blockers.

And most importantly, document everything. The proposed rule will require evidence that MFA has been implemented and is functioning as intended. Maintaining records of your rollout timeline, pilot feedback, staff training, and ongoing compliance monitoring creates the audit trail regulators expect.

A Mandate That Was Inevitable

Mandatory MFA under the proposed HIPAA Security Rule changes is not a surprise. It is the regulatory system catching up to a security standard that every other major regulated industry adopted years ago. The healthcare sector’s historical resistance to MFA, rooted in legitimate workflow concerns but often sustained by inertia, has contributed to a breach landscape that grows worse every year.

The proposed rule draws a clear line: credentials alone are no longer sufficient to protect patient data. The final rule may adjust some details in response to extensive public comments, but the core MFA requirement has broad support and is widely expected to survive the rulemaking process. Organizations that wait for the final rule to begin planning will find themselves squeezed into a 240-day compliance window, with no room for the kind of deliberate, phased rollout that yields the best results.

At Axeleos, we help healthcare practices implement security controls like MFA in a way that meets regulatory requirements without paralyzing clinical workflows. Sentraeus360 provides the compliance framework and tools to deploy, document, and maintain the safeguards that auditors and regulators expect. If mandatory MFA has your practice rethinking its access controls, contact us today. The compliance clock will start sooner than you think.