Multi-Factor Authentication for Healthcare



Multi-factor authentication, sometimes called two-factor authentication or MFA, is one of the most effective security controls you can implement at your healthcare organization. Multi-factor authentication makes security and business sense at any organization but is especially important for those handling ePHI. Multi-factor authentication can further protect accounts where the only line of defense is a password. We talk a lot about secure passwords at Matterform, but threats like social engineering require us to further protect accounts which are accessible from the internet.

Where to prioritize multi-factor authentication

We recommend that any internet accessible account that stores, transmits, or accesses ePHI be protected by multi-factor authentication. Sometimes, business realities get in the way of this goal. Implementing MFA takes time and money, so we have to prioritize which systems are highest risk.

Email: you may think that there is no PHI in your email but we can guarantee there is some. PHI is like an oil slick: it gets everywhere. Email is also a high risk system because it’s vulnerable to social engineering attacks and often is an access point to a larger cloud environment. Any enterprise email service will also allow you to roll out MFA one account at a time, so focus on high risk accounts like your leadership and providers.

VPN: If your healthcare organization has a more traditional infrastructure where you host email on-premises, then chances are you also have a VPN. Protecting your VPN with two-factor authentication means the rest of your on-premises services will inherit those same protections whenever staff is accessing your systems remotely.


If multi-factor authentication is so important, why doesn’t HIPAA mention it?

Multi-Factor authentication is nowhere to be found in the HIPAA implementable specifications, but other high value security controls like encryption are. As a result, some compliance officers overlook MFA, but this is a mistake. Remember, HIPAA is technology neutral. HIPAA is also old. It predates Wi-Fi, which wasn’t widely used until 1997. The threat landscape to healthcare is constantly evolving and it would be impossible for HIPAA to keep up. This is why it’s so important to incorporate not only HIPAA standards but NIST standards into your annual security risk assessment. NIST 800-63B, a great reference for cyber security best practices, recommends MFA as a security control.

Not all my staff have organization-issued smartphones. How can I get a second factor of authentication?

An inexpensive and secure way to implement MFA without buying your whole staff smartphones is by purchasing USB authenticators, small USB drives which act as a second factor (something you have) along with a password (something you know).  These authenticators can be kept on a key chain or a building badge. You can also have users authenticate using their personal smartphones but you should ensure you have a Bring Your Own Device (BYOD) Policy first. Matterform has model language for a BYOD policy that you can deploy within 30 days, just contact us to learn more.

What if the VPN implementations I’ve looked at are too expensive?

Many commercial implementations for MFA on your VPN can be prohibitively expensive and may cause you to write off MFA entirely. There are other inexpensive solutions, such as cryptographic enrollment of workstations with a unique certificate. At Matterform, we are happy to look at any quote you may have and see if you’re getting a fair deal.

But my organization has shared accounts. How do we implement multi-factor authentication on those?

You may have a shared email for admin staff or maybe all your medical assistants log into the same EHR account to handle medication refills. Remember, HIPAA requires that all users have unique accounts so you should get rid of any shared accounts right away. In the meantimethere are some things you can do: For your email system, implement MFA selectively on non-shared accounts first. For your EHR, consider buying more licenses.

But what if the second factor is breached?

It’s unlikely, but it could happen. Just because you have more than one factor of authentication doesn’t mean your account is 100% secure, and not all second factors are created equal. Multi-factor authentication is not perfect and could be breached, but it’s one of the best controls we have.


Multi-factor authentication improves your cyber security by adding an extra layer of protection to a sensitive online account. The National Institute of Standards and Technology recommends MFA, you can implement MFA without organization-owned smartphones, and you can implement MFA cheaply. Focus on email and VPN first.

Watch this video in our HIPAA for Humans series to hear our founder and senior risk analyst Michael Herrick discuss Multi-factor authentication.

Scroll to Top

Download "HIPAA-Secure Smartphones"

You already have all the technology you need to secure smartphones at your company. All you need is some guidance about what really works. In our BYOD Blueprint, I’ll show you simple steps you can take right now to reduce cybersecurity threats from employee smartphones.

To download your copy of “HIPAA-Secure Smartphones”, simply provide your email address below.  A download link will appear shortly after