Notifications
Clear all
Topic starter
25/06/2026 2:45 pm
TL;DR: Generic MFA fails in clinical settings because shared workstations, device handoffs, and time-critical workflows require fast, repeatable re-authentication and tight EHR integration, according to Imprivata. Healthcare access security only works when authentication is designed around clinician operations, not adapted after the fact.
NHIMG editorial — based on content published by Imprivata: purpose-built MFA for healthcare workflows
Questions worth separating out
Q: How should hospitals implement MFA without slowing down clinicians?
A: Hospitals should place MFA inside the clinical workflow, not outside it.
Q: Why do shared workstations make healthcare access control harder?
A: Shared workstations make access control harder because the same device can serve several clinicians in quick succession.
Q: What should security teams look for in passwordless healthcare access?
A: They should look for secure enrollment, strong authenticator binding, and application-level integration.
Practitioner guidance
- Map authentication to clinical workflow steps Document where clinicians authenticate, re-authenticate, hand off devices, and access EHR workflows so control design reflects actual care patterns.
- Treat enrollment as the highest-trust control point Require strong identity proofing and auditable authenticator issuance before enabling passwordless or advanced MFA flows.
- Embed access controls into EHR and clinical apps Move from stand-alone login prompts to workflow-integrated controls that support tap-in access, session locking, and role-aware approvals inside the application path.
What's in the full article
Imprivata's full interview covers the operational detail this post intentionally leaves for the source:
- Specific clinician workflow examples for badge tap, facial recognition, and PIN-based access patterns
- How the platform integrates authentication into EHR, virtual desktop, and clinical application workflows
- Details on secure enrollment and NIST Identity Assurance Level 3 alignment for authenticators
- Examples of compliant support for witnessing, e-prescribing, and audit logging in healthcare settings
👉 Read Imprivata's interview on purpose-built MFA for healthcare workflows →
Healthcare MFA for clinicians: what breaks with generic access?
Explore further
25/06/2026 3:52 pm
Purpose-built clinical authentication is a human IAM governance problem, not a feature preference. The article is really about whether access controls can survive the realities of shared devices, device handoff, and nonstop clinical movement. Generic MFA fails because it optimises for office workflows, not for care delivery. The practitioner conclusion is that healthcare identity design must be evaluated against the workflow it serves, not against checkbox authentication coverage.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility.
A question worth separating out:
Q: How do organisations know if clinical MFA is actually working?
A: They know it is working when access is both secure and nearly invisible to clinicians. Good signals include fewer workarounds, fewer login interruptions, reliable audit trails, and smoother access across shared devices and EHR workflows. If users are bypassing the control, the programme is failing operationally even if logins succeed.
👉 Read our full editorial: Purpose-built MFA for healthcare: why generic access fails
