Purpose-built MFA for healthcare: why generic access fails

At a glance

What this is: This interview argues that healthcare needs purpose-built MFA because generic access controls disrupt clinical workflows and create workarounds.

Why it matters: It matters to IAM practitioners because healthcare access design has to balance security, accountability, and speed across human identity, shared devices, and regulated workflows.

👉 Read Imprivata's interview on purpose-built MFA for healthcare workflows

Context

Healthcare authentication fails when it is treated like a standard office login problem. Clinicians move between shared workstations, EHR sessions, mobile devices, and handoff-heavy workflows, so access controls have to preserve speed, accountability, and compliance at the same time.

The primary identity issue here is human IAM in a clinical environment, with strong spillover into lifecycle governance and privileged access oversight. If the authentication flow adds friction, clinicians work around it, and the security model starts to break at the point of use.

Key questions

Q: How should hospitals implement MFA without slowing down clinicians?

A: Hospitals should place MFA inside the clinical workflow, not outside it. The best designs support fast re-authentication, shared-device use, and automatic session control so clinicians can move between tasks without repeated interruptions. If users face friction at every step, they will adopt workarounds that weaken both accountability and security.

Q: Why do shared workstations make healthcare access control harder?

A: Shared workstations make access control harder because the same device can serve several clinicians in quick succession. That means identity binding, session locking, and auditability have to survive frequent handoffs without creating delays. A control model built for one person, one device, and one session will break in this environment.

Q: What should security teams look for in passwordless healthcare access?

A: They should look for secure enrollment, strong authenticator binding, and application-level integration. Passwordless only works when the identity proofing step is trusted and the login method fits clinical work. Without those controls, passwordless replaces passwords but does not remove access risk.

Q: How do organisations know if clinical MFA is actually working?

A: They know it is working when access is both secure and nearly invisible to clinicians. Good signals include fewer workarounds, fewer login interruptions, reliable audit trails, and smoother access across shared devices and EHR workflows. If users are bypassing the control, the programme is failing operationally even if logins succeed.

Technical breakdown

Why generic MFA breaks in shared clinical workflows

Generic MFA assumes a relatively stable user-device relationship and enough time to interrupt work for repeated prompts. In a hospital, that assumption fails because clinicians rotate between shared endpoints, task-driven sessions, and patient-facing interruptions. The control problem is not whether MFA exists, but whether it can re-authenticate fast enough, preserve session continuity, and still preserve accountability when multiple people use the same device. In practice, access methods that are too slow push users toward unsafe shortcuts, which undermines both security and care delivery.

Practical implication: design re-authentication flows around clinical workflow speed, not around a desktop login baseline.

EHR integration changes authentication from a gate to a control

When MFA is integrated directly into EHR and clinical application flows, authentication becomes part of the access lifecycle rather than a separate hurdle. That allows session lock, tap-in access, witnessed actions, and role-aware policy enforcement to happen in the same operational context as patient care. The architecture matters because security controls that sit outside the application tend to be bypassed, while controls embedded into the workflow can maintain traceability without forcing extra steps on clinicians. This is where human IAM and application access governance meet.

Practical implication: prioritize application-integrated authentication over perimeter MFA overlays for clinical systems.

Passwordless only works when enrollment is trustworthy

Passwordless access is often presented as a usability win, but in healthcare it only holds if the enrolled authenticator is bound to a verified person. Secure enrollment is the trust anchor: if identity proofing is weak, every later authentication step inherits that weakness. The article notes NIST Identity Assurance Level 3-aligned enrollment approaches, which reflects the wider principle that frontline convenience cannot come at the expense of verified identity binding, auditability, and controlled authenticator issuance. Without that foundation, passwordless becomes credential reshuffling rather than genuine access improvement.

Practical implication: treat authenticator enrollment as a high-assurance control point, not an administrative step.

NHI Mgmt Group analysis

Purpose-built clinical authentication is a human IAM governance problem, not a feature preference. The article is really about whether access controls can survive the realities of shared devices, device handoff, and nonstop clinical movement. Generic MFA fails because it optimises for office workflows, not for care delivery. The practitioner conclusion is that healthcare identity design must be evaluated against the workflow it serves, not against checkbox authentication coverage.

Shared-workstation access exposes the boundary between security policy and operational reality. In healthcare, the same endpoint may serve multiple users in a short time window, so the access model has to preserve traceability without demanding excessive friction. That makes session control, fast step-up, and reliable user binding more important than simple factor count. The practitioner conclusion is that access governance for shared endpoints must be designed as a workflow control, not a static login control.

Secure enrollment is the control that determines whether passwordless access is trustworthy at all. Enrollment was designed for a stable, verified human identity. That assumption fails when authenticator issuance is casual, because the system then trusts the wrong person for the life of the credential. The implication is that healthcare teams must rethink where trust is created in the authentication chain, because later MFA steps cannot repair weak identity proofing.

Clinical access management should be measured by interruption avoided, not just access granted. Security leaders often count successful authentications, but that misses the real governance signal in healthcare: whether the control preserved care continuity while maintaining accountability. Fast tap-in access, automatic lock, and role-aware policy are valuable only if they reduce unsafe workarounds. The practitioner conclusion is that success metrics should include workflow friction and bypass behaviour, not only authentication completion rates.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• A separate finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility.
• That confidence gap matters here because healthcare teams that tune access for usability must still preserve identity assurance, lifecycle control, and auditability across human, machine, and application access paths.

What this signals

Clinical authentication will keep converging with identity assurance, not just factor selection. Healthcare teams that treat MFA as a standalone control will keep missing the operational point. The real design problem is binding trustworthy identity proofing to low-friction access in workflows that cannot stop for repetitive prompts.

Purpose-built access control is becoming a governance requirement, not a user-experience enhancement. When the login flow slows care, clinicians invent their own bypasses. That means security leaders need to measure access friction as a control failure mode, especially across shared devices and high-turnover clinical environments.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the wider lesson is that access governance breaks when trust is assumed rather than continuously verified.

For practitioners

• Map authentication to clinical workflow steps Document where clinicians authenticate, re-authenticate, hand off devices, and access EHR workflows so control design reflects actual care patterns. Use the map to find points where generic MFA forces unsafe shortcuts.
• Treat enrollment as the highest-trust control point Require strong identity proofing and auditable authenticator issuance before enabling passwordless or advanced MFA flows. If enrollment is weak, the rest of the access chain inherits that weakness.
• Embed access controls into EHR and clinical apps Move from stand-alone login prompts to workflow-integrated controls that support tap-in access, session locking, and role-aware approvals inside the application path.
• Measure friction alongside authentication success Track workarounds, repeated login attempts, and session interruptions as governance signals. If clinicians bypass controls, the access model is no longer serving either security or patient care.

Key takeaways

• Healthcare authentication fails when generic MFA is forced onto clinical workflows that depend on speed, handoffs, and shared devices.
• Secure enrollment is the trust anchor for passwordless access, because weak identity proofing undermines every later authentication decision.
• Clinical IAM programmes should judge success by reduced friction and preserved accountability, not by login completion alone.

Key terms

• Purpose-Built MFA: Multi-factor authentication designed around a specific operating environment rather than a generic login pattern. In healthcare, that means supporting shared devices, fast re-authentication, and clinical workflow integration without forcing users into workarounds that weaken security.
• Secure Enrollment: The identity proofing and authenticator issuance step that establishes trust before a user can authenticate. In clinical settings, weak enrollment undermines passwordless access because every later login depends on the original binding between the person and the authenticator.
• Shared-Device Authentication: An access model where multiple users authenticate on the same endpoint across different shifts or tasks. It requires strong session control, reliable user binding, and auditability so the device can move safely between clinicians without losing accountability.
• Workflow-Integrated Access Control: Authentication and authorization controls embedded directly into the application or task flow rather than added as a separate barrier. This approach reduces friction in clinical environments while preserving traceability for high-risk actions and patient-facing work.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: purpose-built MFA for healthcare workflows. Read the original.