If you asked most healthcare security leaders whether multi-factor authentication is important, the answer would be an unequivocal yes. MFA is widely understood to be one of the most effective controls against credential-based attacks, which remain the primary vector in the majority of healthcare data breaches.
And yet, MFA adoption across healthcare remains inconsistent. Many organizations have deployed it selectively — covering remote access and administrator accounts — while leaving significant portions of their clinical workforce on single-factor authentication.
The reasons are understandable. They are also no longer acceptable.
The Resistance Is Real — And Partially Justified
Healthcare is not a typical enterprise environment. The operational realities that make MFA deployment difficult in clinical settings are genuine:
Shared Workstations
In most office environments, employees have assigned desktops or laptops. In healthcare, clinicians move between dozens of shared workstations during a single shift. A nurse in a 40-bed unit might log into 15 different terminals over 12 hours. Traditional MFA — enter your password, pull out your phone, approve the push notification — adds friction to every single one of those transitions.
When you are responsible for patient care, a 30-second authentication delay is not a minor inconvenience. Multiply it across every login, every shift, every clinician, and you have a workflow disruption that clinical leadership will push back on — hard.
Mobile Device Restrictions
The most common MFA implementation — a push notification to a mobile authenticator app — assumes the user has a personal device nearby. In many clinical areas, personal mobile phones are restricted or prohibited. Operating rooms, sterile environments, and some patient care areas do not permit personal devices.
You cannot build an MFA strategy around a device your clinicians are not allowed to carry.
PPE and Biometric Limitations
Fingerprint readers do not work reliably when clinicians are wearing gloves. Facial recognition fails when staff are wearing surgical masks or N95 respirators. These are not edge cases in healthcare — they are the daily operating environment.
Clinical Culture
Healthcare has a deeply embedded culture of prioritizing patient care speed over administrative process. Security controls that are perceived as slowing down care delivery face institutional resistance. When a physician says "this login process is adding time between me and my patient," that concern carries enormous organizational weight — and rightfully so.
The Resistance Is Also Increasingly Dangerous
Understanding why healthcare resists MFA does not change the fact that single-factor authentication is the primary enabler of credential-based attacks. And credential-based attacks are devastating healthcare organizations at an accelerating rate.
The Stryker attack in March 2026 was enabled by a compromised Global Administrator credential — a single stolen password that gave attackers the ability to wipe 200,000 devices across 79 countries. The attack used no malware. Just a credential and a legitimate management tool.
This pattern repeats constantly across healthcare. Phishing campaigns harvest credentials. Credential stuffing attacks exploit password reuse. Stolen credentials from dark web marketplaces are used to access VPNs, email, EHR systems, and cloud environments.
MFA does not prevent every attack. But it prevents the most common ones. Microsoft has reported that MFA blocks over 99 percent of automated credential attacks. That single statistic makes the cost-benefit calculation unambiguous.
The "Addressable" Loophole Is Closing
Under the current HIPAA Security Rule, MFA falls under the "addressable" implementation specification. This has allowed organizations to document why MFA is not reasonable or appropriate for their environment and implement alternative measures — or in some cases, simply accept the risk.
The proposed HIPAA Security Rule changes eliminate the distinction between required and addressable specifications. MFA becomes mandatory for all interactive workforce access to ePHI. No exceptions. No documented alternatives. No "we plan to implement it next year."
The rule is expected to be finalized by May 2026, with compliance required within 180 to 240 days — putting the deadline in late 2026 or early 2027.
For organizations that have been deferring MFA deployment, the window for voluntary adoption is closing. What follows will be mandatory compliance under a compressed timeline.
MFA in Healthcare Is a Solved Problem
The operational barriers to MFA in healthcare are real, but they are not unsolvable. Multiple vendors have built MFA solutions specifically for clinical environments:
Badge Tap Authentication
Clinicians already carry proximity badges for physical access. Badge-tap authentication uses the same credential for logical access — tap your badge on a reader at any workstation and you are authenticated. Combined with a PIN for MFA, this approach adds minimal friction to clinical workflows.
Proximity-Based Authentication
Some solutions use Bluetooth proximity detection to authenticate users when they approach a workstation and lock the session when they walk away. No phone required. No manual login. The system recognizes who is at the terminal and adjusts accordingly.
Continuous Authentication
Newer approaches use behavioral biometrics — typing patterns, mouse movement, interaction patterns — to continuously verify that the person using the system is the authenticated user. This eliminates the need for repeated MFA prompts during a shift while maintaining a strong security posture.
Desktop Single Sign-On With MFA
Enterprise SSO solutions integrated with MFA allow clinicians to authenticate once at the start of their shift and then use tap-to-access for subsequent workstation transitions. The MFA challenge happens once. The workflow friction is minimized.
None of these solutions are theoretical. They are deployed in health systems today. The technology is mature. The integration paths are well-documented. The clinical workflow impact has been validated in real environments.
What Healthcare Leaders Should Do Now
1. Stop Framing MFA as an IT Project
MFA deployment in healthcare is an organizational change management initiative, not a technology project. The technology is the easy part. The hard part is clinical workflow design, stakeholder alignment, and rollout planning. Engage clinical leadership early and design the solution around their workflows, not the other way around.
2. Map Your Current State Honestly
Where is MFA deployed today? Where is it not? Be specific. Remote access VPN with MFA is good, but if your clinicians are accessing the EHR from shared workstations with just a password, your most sensitive system is your least protected.
3. Evaluate Healthcare-Specific Solutions
Do not try to force a generic enterprise MFA solution into a clinical environment. Evaluate solutions designed for healthcare — badge tap, proximity auth, continuous authentication. Schedule vendor demos with your clinical staff, not just your IT team.
4. Plan for the Mandate
The proposed HIPAA Security Rule will require MFA for all ePHI access. Build your project plan now. Budget for it in your next fiscal cycle. Identify a pilot unit and start testing. Organizations that are mid-deployment when the rule is finalized will have a dramatically easier compliance path than those that are starting from scratch.
5. Quantify the Risk of Inaction
If your organization experiences a credential-based breach that MFA would have prevented, the regulatory, financial, and reputational consequences will far exceed the cost of deployment. The Stryker incident demonstrated what a single compromised credential can do. Make sure your leadership team understands that the cost of MFA is not just the technology — it is the alternative.
The Bottom Line
Healthcare's resistance to MFA has been understandable. Shared workstations, clinical workflow constraints, and mobile device restrictions create real deployment challenges that other industries do not face.
But the threat landscape has made single-factor authentication indefensible. The regulatory landscape is about to make it non-compliant. And the technology landscape has produced solutions specifically designed for the operational realities of healthcare.
The organizations that deploy MFA now — thoughtfully, with clinical input, using healthcare-appropriate solutions — will be ahead of the mandate and ahead of the threat. The ones that continue to defer will find themselves scrambling to comply under pressure, competing for vendor resources with every other healthcare organization that waited too long.
The time to act is before the rule is finalized. Not after.
Jackal Group advises healthcare organizations on security program maturity, including identity and access management strategy. Contact us to discuss your MFA readiness.