TL;DR: HIPAA’s proposed Security Rule would make MFA explicit across systems that create, receive, maintain, or transmit ePHI, with limited exceptions, and it points healthcare teams toward phishing-resistant methods such as passkeys and security keys, according to Authsignal. Password-only access and SMS-based fallback strategies are becoming harder to defend as durable healthcare identity controls.
NHIMG editorial — based on content published by Authsignal: HIPAA MFA requirements and what to do before the final rule lands
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should healthcare teams implement MFA for ePHI access without breaking clinical workflows?
A: Start by separating routine access from high-risk access.
Q: Why is SMS not a durable long-term MFA strategy for healthcare identity?
A: SMS is better than password-only access, but it remains vulnerable to interception, SIM swap, and social engineering.
Q: What breaks when healthcare systems rely on addressable authentication exceptions too long?
A: The programme starts to fragment.
Practitioner guidance
- Map every ePHI touchpoint to an authentication state Document whether each system uses SSO, local passwords, MFA, shared access, or vendor-managed login, then identify where authentication evidence is missing.
- Prioritise phishing-resistant MFA for privileged and remote access Move admin accounts, remote portals, and high-volume ePHI paths onto passkeys or hardware security keys before expanding to lower-risk workflows.
- Define step-up triggers around sensitive actions Trigger stronger authentication for privilege changes, unusual devices, suspicious locations, and large data exports so clinical work stays usable.
What's in the full article
Authsignal's full blog post covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of how the proposed HIPAA MFA rule maps to healthcare access patterns across workforce, vendor, and patient-facing systems.
- Specific guidance on passkeys, hardware keys, TOTP, and SMS fallback choices for different healthcare workflows.
- The compliance timing model, including the proposed effective date, transition windows, and what teams should document before final publication.
- Implementation detail on using step-up authentication around risk events such as device changes, data exports, and privileged actions.
👉 Read Authsignal's analysis of HIPAA MFA requirements and healthcare passkeys →
HIPAA MFA and passkeys: what healthcare IAM teams should change?
Explore further
HIPAA MFA is becoming an identity governance problem, not just a login problem. The proposed rule pushes healthcare security teams to treat authentication as a control layer that must be inventoried, evidenced, and risk-scoped across humans, vendors, and clinical systems. Once MFA becomes explicit, the question is no longer whether to add a factor, but how to prove the control applies where ePHI risk is highest.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when business associates access ePHI without strong MFA?
A: The covered entity remains accountable for the access path, even when the third party operates the system. Business associate agreements, evidence collection, and access reviews need to show that vendors use the same authentication standard or an approved compensating control. Accountability does not transfer with the login.
👉 Read our full editorial: HIPAA MFA requirements are shifting healthcare identity design